HTTPS New Year! Avoid the “Not Secure” label

Happy New Year! So, from January 2017 Chrome 56 begins labelling as “Not Secure” all websites served over HTTP and containing a password form. You need to upgrade to HTTPS to get rid of this off-putting label.

You don’t want this “Not Secure” label next to your website, right?

Even if you don’t have password forms, HTTPS improves your search engine ranking, so it’s really about time to upgrade to HTTPS as a new year resolution! Sounds complicated? Luckily it’s pretty easy to do these day and it’s free — in this article I’ll walk you through a couple possible approaches.

Quick fix — CloudFlare’s shared certificate

As part of CloudFlare CDN’s free tier, you can use their shared TLS certificate. It’s not a 100% secure solution (traffic between CloudFlare and your app server is still unencrypted), but it encrypts your users’ traffic against local eavesdropping. This method is suitable for your personal website or small projects where you’re not worried about ISP-level attacks. Example scenarios where this solution can be useful:

• GitHub pages website with a custom domain
• Wordpress website with a custom domain
• Heroku app with a custom domain (Update: Heroku now supports free SSL on all paid dynos. Just go upgrade to a hobby plan if you haven’t!)

To set up, follow the steps provided in this tutorial. The steps boil down to:

1. Create a CloudFlare account
2. Point it to your domain to automatically pick up on the DNS rules (double-check everything is in there)
3. Change your domain’s nameserver from your current one (e.g. NameCheap’s to CloudFlare’s nameservers)

If everything works out fine, you’ll be able to redirect all HTTP requests to HTTPS. Don’t forget that all the domain rules now have to be set up through CloudFlare’s settings (e.g. if you’re setting up email for your domain).

More secure — your own Let’s Encrypt certificate

To fully encrypt the traffic from your users to your app server, you should create your own TLS certificate, such as a free Let’s Encrypt certificate. This is the proper HTTPS setup method which you should apply eventually, e.g. I used it to for a Discourse app I’m hosting for our local tech community.

A scenario when you’re able to set up your own auto-renewing Let’s Encrypt certificate is when you have access to the machine hosting your software. Now, exact steps will depend on your technology stack. A pretty common setup is an nginx web server on Ubuntu — it is covered in this tutorial.

This approach can get a bit fiddly and require some command line experience. Consider Server Fault if you get stuck or hire a professional to help you out.

Stay informed

To receive more actionable tips on building an online business, subscribe to our newsletter ✉️

More from us on punkrockdev.com and @punkrockdev 💻

Help spread HTTPS love by clicking the ❤ button below 😎