If you sell online and don’t have full HTTPS throughout your website, regardless of the platform, your customers are seeing or will soon begin to see warnings from browsers saying the website is “Non Secure”. Firefox and Chrome with each update are putting in front bigger and bigger warnings about non-HTTPS sites. Following this rate, late versions of these browsers won’t accept any more HTTP sites. Of course, this is a campaign for their own benefits. For merchants this translates into scared customers and lost sales. Below you’ll learn what HTTPS is, and if you run a Magento store, a step-by-step tutorial on how to move your store from HTTP to HTTPS.
What is HTTPS and current security standards
Whenever you had the first contact with the world wide web or the internet, or the interwebz as the millennials call it, you may have come across a somewhat strange acronym that you probably ignored but that itself is one of the main links of the chain that keeps the internet up and running. That is HTTP.
What does HTTP mean? HTTP stands for HyperText Transfer Protocol. To put it simply, HTTP it is a set of rules for sharing information between distributed, collaborative, and hypermedia information systems. HTTP acts as a link between the client and the server, where the client sends a request and the server provides a response using the rules defined in the protocol.
So far so good, but as history tells us, especially in technology infrastructure, everything can be compromised. For HTTP we just put an S to it. S stands for the secure part of HTTP, or in other words HTTP over TSL. In short, the communication between the client and the server is covered with layers of security to prevent attacks coming from both ends. That ensures integrity, authentication, and protection.
The most important achievement for an online store is to have top tier customers who don’t think twice when buying a product. You would want the store to provide a safe place full of quality verified products. This is where HTTPs comes in handy.
The internet is moving to HTTPS
In the last three years or so the HTTPS format has been pushed continually by every major tech giant. Think of Google’s HTTPS everywhere campaign, Amazon, and Ebay to name a few. This will probably make you wonder why is this necessary, what would the gain be – if any? When these companies are trying to shape a major infrastructure, like a domino effect, this is coming along nicely. Whereas everyone that is trying to present content via a website is switching to HTTPs, whether their product provides warranty or not, it has come to everyone senses that once the big guys do it everybody should. Otherwise, you will be left behind in some weird place circa 2010.
For a long time, online stores have been considered a tricky part of the internet where most of the time information goes without getting verified thus making the store easily exploitable. Credit card numbers, passwords, security questions are sensitive data that can be tracked with a few lines of code injected into an input form. Not paying attention when providing this type of data can lead to serious issues regarding both sides, clients and store owners.
Current state of Magento websites and HTTPS
The same applies everywhere, even in our favorite content management system, Magento. Being the robust system that it is, Magento provides lots of functionality that involves customer data. This data can be exclusive to the Magento store or can be traced to other places on the web, such as API keys, external login credentials (Facebook, Twitter, Linkedin), email transactions etc. All this data resides inside some row in the database ready to be fetched by some dangerous script. Now Magento itself is very precise when addressing these issues by providing patches to keep the store safe.
However, that’s not enough to be successful in the eCommerce business. Let’s assume for a moment that you’ve put to rest the issues regarding customer safety. The journey has just started. To get to the top search engine optimization is needed. This will help your site grow by making it available everywhere on the internet. When doing a Google search regarding your site content without specifying any names, results will show up leading to your website. This is one of many benefits of a great search engine optimization. But this has to be done on both sides. One being Magento which when used to its fullest will result in good visibility. The other being the search engine. But here is the catch. Search engines will not give full support if your site isn’t secured. They will still index your site but will prioritize websites that run over HTTPS.
Most of the times in Magento customers are not presented with a warning regarding security. To keep the site as user-friendly as possible thus it’s fair to assume that the store cannot be trusted. From my experience as a developer, as far as the request flow goes, there may have been some unprocessed URL’s which in fact are in HTTP and not in HTTPS. They don’t have to be URLs from the store itself. The security warning can often be caused by external URL’s that throw the same exception. This happens usually with images. The system chooses to keep these warnings in the background on different log files.
Another rule of thumb that I always follow and I think it’s a good starting point is to pay attention to the green secure bar in the top right corner of the browser. Not everyone is a developer with years of experience to check the site to the last non-HTTPS URL and choose not to continue shopping there. So that’s why web browsers provide the secure notification on top.
How to move your Magento store from HTTP to HTTPS
Transitions can be hard and since we are talking about an online store lots of things can go wrong. Basically, you are doing a shop renovation. To make the change as subtle as possible Magento comes in handy with its modular architecture and a great community where everything is documented and made simple.
Presented below is a list of all the things needed to move a Magento store from HTTP to HTTPS.
- SSL Certificate
A starting point is to come to an agreement of choosing the appropriate certificate for your store. This certificate serves the purpose of having a warranty and it will show up every time a client will access your store. A certificate authority is responsible for releasing the certificate. It is that authority which will take steps on verifying that your store belongs to your company.SSL certificates vary in price, from free certificates to hundred dollars per year certificates. The difference is that not every certificate is reliable as trustworthy. They cover different scopes of the site. For example, they can be suited to one domain only or can cover multiple domains on a company level. Another important factor to consider when buying an SSL certificate is its level of encryption. Security standards tell us that you need at least 1024-bit encryption to have your site secured. The most highly secured encryption keys are 2048-bit which, of course, cost more.
- Add base secure URL
After you purchase your SSL certificate it’s time to do some configuration to your Magento store. Most important thing is to add the secure base URL to the website. This is done by going in System > Config > General > Web. Just add the HTTPs in front of the URL and make sure to check use secure URLs in the frontend.
- 301 HTTP redirects
Once the site is set to use secure URLs, action is needed for unsecured links. You will have to redirect your users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects. This can be done by a number of extensions available for Magento.
- Implementing HSTS
We recommend that HTTPS sites support HSTS. HSTS tells the browser to request HTTPS pages automatically, even if the user enters HTTP in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.
- Refactor hard coded URLs
It’s critical to have a team of developers that do things right. From my experience many times in the code, coming from third party vendors, are found hard coded URLs which break the HTTPs workflow that we all trying so hard to achieve. By hard coded I mean URLs that are not generated dynamically, but are written and text. To put this to rest, our team of developers would do a full scan to make sure that all hardcoded HTTP URLs are refactored to HTTPS.
- GSC Property
Create a new Google Search Console (GSC) property for the HTTPS version of the website.
- Generate a new sitemap
Once the new URLs are set creating a new sitemap is the next step. This provides search engines with necessary information to crawl. To move your site up the ladder of Search Engine Indexing the URLs that reside inside the sitemap.xml need to be in HTTPS.
- Check Robots.txt file
Alongside sitemap.xml this is a file that is crawled by search engines. In this file reside any page that should not be traversed by any search engine. Make sure there are no HTTPS sites listed here.
- Avoid non-safe images
Most of the time images on your store aren’t really yours but reside on someone else’s server. If these images are coming from a not secure source you should consider replacing the image. These type of issues cause the HTTPS page to break.
Things to keep in mind
Despite all recommendations mentioned above, I want to remind you of something that most people tend to forget when moving to HTTPS. If your website isn’t working as it should with HTTPS you must keep in mind:
- Update Magento to the latest version. Either upgrade the store completely, or apply the needed patches. Both ways have the same results regarding security.
- Update Magento Extensions. Some extensions are heavily loaded with external requests. Such as API requests during checkout or tracking conversions. This can be a pain when the store has a considerable amount of extensions. It is advised to keep everything up to date and avoid extensions that don’t receive an update for more than 3-4 months.
- Keep updated with the latest security protocols.
- Make sure SSL Certificate has not expired.
At this point, you’re probably wondering where is the catch. Moving to HTTPS looks so simple now that it must be something I must be missing. The only downside that comes with HTTPS is that you have to buy an SSL certificate. This means that it won’t come at a low price. Some people will argue that HTTPS requests will slow down your side. This is a problem that it’s already fixed by most servers. If it’s not then you should probably consider moving to a new hosting provider.
Moving to HTTPS has a number of benefits but sometimes the move can negatively impact your rankings on SERPs, especially when no proper 301 redirects are implemented. Although Google doesn’t consider HTTPS an entirely new domain or site move, there is a good chance that some of the incoming links will be lost. Regardless of the small risk in switching your Magento website to HTTPS, making the move now vs later is a worthy long-term investment. As time will go by, Google and other search engines are likely to become more and more biased towards HTTPS.