Skip to main content
CodeRocket
Securitycriticaltransport

Serve all pages over HTTPS

rule · https

HTTPS (opens in a new tab) (HTTP over TLS) encrypts all traffic between the browser and your server, providing confidentiality, integrity, and authentication. MDN's transport security guidance (opens in a new tab) and the OWASP transport cheat sheet (opens in a new tab) both treat site-wide HTTPS as the baseline, not an optional hardening step.

Code Example

Let's Encrypt (Free)

Shell
# Install Certbot
sudo apt install certbot python3-certbot-nginx  # Debian/Ubuntu
sudo yum install certbot python3-certbot-nginx  # RHEL/CentOS
 
# Obtain and auto-configure certificate for Nginx
sudo certbot --nginx -d example.com -d www.example.com
 
# Certbot automatically sets up renewal
# Test renewal with:
sudo certbot renew --dry-run

Hosted / Managed TLS

Most platforms handle TLS automatically:

  • Vercel: Automatic — certificates provisioned for all deployments
  • Netlify: Automatic — one-click HTTPS via Let's Encrypt
  • AWS CloudFront: Use AWS Certificate Manager (free for CloudFront)
  • Cloudflare: Managed TLS included on all plans

Why It Matters

Plain HTTP exposes every request and response to anyone on the network path — ISPs, Wi-Fi operators, and MITM attackers can read passwords, session tokens, and personal data without any warning to the user.

What HTTPS Provides

  • Confidentiality: Data cannot be read by third parties on the network path
  • Integrity: Data cannot be modified in transit (prevents content injection by ISPs or MITM attackers)
  • Authentication: The certificate proves the server is who it claims to be, preventing impersonation

HTTP-to-HTTPS Redirect

Nginx

NGINX
# Redirect all HTTP to HTTPS
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}
 
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
 
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
 
    # ...
}

Apache

APACHE
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Cloudflare

In the Cloudflare dashboard → SSL/TLS → Edge Certificates → enable Always Use HTTPS and set Minimum TLS Version to 1.2.

Modern Features Requiring HTTPS

Both MDN (opens in a new tab) and web.dev (opens in a new tab) treat these as secure-context features, so they are a practical way to spot pages that still rely on insecure origins.

Browsers block these APIs on non-secure origins:

FeatureWhy It Requires HTTPS
Service WorkersPrevent network interception of cached resources
Push NotificationsAuthentication required
Geolocation APIPrivacy protection
getUserMedia (camera/mic)Privacy protection
Web Crypto APISecurity requirement
Payment Request APIFinancial data protection
HSTS, HTTP/2, HTTP/3Protocol requirements

Common Pitfalls

MistakeImpactFix
Expired certificateBrowser blocks the page with a security warningConfigure auto-renewal (e.g., certbot renew via cron)
Certificate missing wwwwww.example.com shows a security errorUse a SAN certificate covering both example.com and www.example.com
HTTP redirect uses 302Browsers may not cache the redirect, slowing future requestsUse 301 (permanent) redirect
HTTPS only on login pagesData on all other pages exposed in transitEnable HTTPS site-wide

Exceptions

  • Local development or internal-only environments can differ, but production user-facing traffic should still satisfy the transport requirement strictly.
  • A redirect or HTTPS control that fails on one hostname, subdomain, or CDN edge path is still a real failure for users and crawlers reaching that surface.
  • Fix the strongest transport weakness first instead of treating every downstream symptom as a separate primary issue.

Support Notes

  • Verify HTTPS behavior in a production-like environment with the real certificate chain, redirects, proxies, and CDN path in place.
  • Modern secure-context features may appear to work locally while still failing or degrading on real production hosts.

Verification

Automated Checks

  • Run an automated security check, scripted probe, or log-based validation against a representative live flow.

Manual Checks

  • Verify the browser or user-facing behavior manually in a production-like flow and confirm there is no stronger conflicting security signal.