HTTPS/SSL with IDX Broker

I recently read a post on the IDX Broker Mastermind Group in Facebook with the following question:

“I use IDX Broker Platinum and have IDX Broker on a subdomain along with a WordPress main website. I have read you get some SEO benefit of switching your website to HTTPS. Is this possible or recommended with Platinum on a subdomain of the main website?”

This question comes up once in a while, and the quick answer is that it’s not supported. However some of the comments made it seem like HTTPS is not very important. I first requested support for HTTPS in the developer forums back in Feb 2015, so I wanted to give more details and insight to my thoughts on the matter.

Does IDX Broker support SSL Currently?

Partially.

If you are using the default subdomain such as your-install-name.idxbroker.com provided by IDX Broker, you can load the urls over HTTPS. Below is a screenshot of the certificate that your IDX pages would use.

If you are using a custom subdomain such as your-install-name.yourdomain.com (and hopefully you are), then it’s more complicated due to the fact that middleware does not offer any ability to add your own custom SSL Certificates. It’s only possible by using a product/service such as CloudFlare that sits in front of IDX Broker.


The Common issues with SSL and IDX Broker

There are several problems you will quickly notice when you try to setup IDX Broker with SSL.

Issue 1: Styling on IDX Broker pages are Broken
When you first load an IDX Broker page over HTTPS you will quickly learn that the page designs seem broken. This is due to the fact the Custom CSS feature that loads the IDX CSS is set to HTTP://

Left: IDX page loading over http, Right: IDX page loading over https

IDX Broker can fix this issue by loading the url with // instead of using http://. This is known as a protocol-relative URL. Until a permanent fix is in place you can use javascript to force the url to // or https.

Update: Sept 19, 2016 Here is some example code:

jQuery(window).on(‘load’, function() {
var hostname = window.location.hostname;
 jQuery(‘link[href*=”’+hostname+’”]’).each(function(){
var link = this.href;
this.href = link.replace(‘http://', ‘//’);
});
 jQuery(‘[href*=”mapquest.com”]’).each(function(){
var link = this.href;
this.href = link.replace(‘http://', ‘//’);
});
 jQuery(‘[href*=”idxbroker.com”]’).each(function(){
var link = this.href;
this.href = link.replace(‘http://’, ‘//’);
});
 jQuery(‘[src*=”google.com/recaptcha/api/js/”], [src*=”stats.idxbroker.com”]’).each(function(){
var link = this.src;
this.src = link.replace(‘http://’, ‘//’);
});
 jQuery(‘img[data-src*=”idxbroker.com”]’).each(function(){
var link = jQuery(this).data(‘src’);
this.src = link.replace(‘http://w', ‘//ws’);
});
});

ISSUE 2: IDX Broker widgets won’t load on your main site/domain. 
All of the IDX Broker widgets are created with javascript. Usually you just copy the code to your site, however with HTTPS enabled they most likely will not display. Most browsers won’t let you load non-secure third party javascript on a secure page.

You must first make sure you have your IDX sub domain support HTTPS. After that you need to manually update the widget urls in the src to use https:// instead of http://. Example code below:

<script charset="UTF-8" type="text/javascript" id="idxwidgetsrc-1234" src="https://yourinstall.idxbroker.com/idx/leadloginwidget.php?widgetid=1234"></script>

If you are using the IMPress for IDX Broker WordPress plugin, you will quickly realize that you can no longer use the shortcodes or IDX widgets created by the WordPress plugin as you have no way to update the urls to HTTPS. You will need to manually add the code.

Update: Sept 19, 2016 — I have submitted a pull request to the IDX Broker team that would let IDX Broker widgets load over HTTPS.

Update: Oct 2, 2016 — IDX Broker has updated the IMPress for IDX Broker plugin with this fix in place, however if you have added widgets manually (i.e. not with a shortcode) then you will need to still update them.

ISSUE 3: Many of the images are not HTTPS
From what I can tell, this issue is partially out of IDX Broker’s control. Many of the images on IDX Broker sites load directly from the MLS and not from IDX Broker. This is probably set by the MLS/Boards rules.

The best thing developers/partners/agents can do is contact the MLS/Boards directly and ask if they support HTTPS for images. I would love to see a list started of those that support it and those that do not. If they do support it, then IDX Broker should make sure they are using the https image urls for those MLS/Boards.

With some MLS/Boards, IDX Broker loads the images from the IDX Broker servers/cdn. IDX Broker should have complete control to support HTTPS by installing a certificate for their sub domains. Here are the three sub domains IDX Broker should install a certificate for immediately:

  • mlsphotos.idxbroker.com
  • clientphotos.idxbroker.com
  • syndication.idxbroker.com

ISSUE 4: SSL for Misc scripts/urls
IDX Broker pages will use scripts from other sites/cdn’s/etc. These should all be loading over HTTPS when possible. A quick example would be the recaptcha_ajax.js script.


How Important is SSL for IDX Broker Pages?

The web is quickly moving to HTTPS everywhere, the sooner IDX Broker supports it the better it will be for IDX Broker/Developers/Clients.

How much does it cost? The cost of SSL certificates can vary quite a bit based on the type of SSL certificate you want. For most sites the standard SSL certificate (around $30-$80 a year) is enough, and with tools like Lets Encrypt, a SSL certificate can be completely free.

Is it important for SEO? Google announced in 2014 that HTTPS would be a ranking signal. By itself HTTPS as a ranking signal is still very small, however with https setup properly you can see big performance improvements with support for features like SPDY or HTTP/2. Speed can have a big impact on your sites SEO.

Update: Oct 2, 2016 — Recently Google announced any page with a login form will be marked as insecure starting in January 2017. This means any IDX page with a form to create or login as a lead within IDX Broker will most likely be flagged as insecure if not using HTTPS.

Do we really need IDX to be secured over HTTPS? This can be debated, how important is it to keep your visitors/leads data secure? It is true IDX pages don’t collect credit card information, but it does collect Lead Contact Information along with a password. Your leads use this login to save properties and searches on your IDX pages. Would your leads be upset if they found out this information was made public? What if your leads use the same password for your IDX pages as they do for say their email, Amazon, or bank accounts? You can quickly see the dangers.


One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.