Website security is more than just a green padlock!

  • Friday, 25th March, 2022
  • 14:42pm

History

As the internet was starting and websites were building into the realms of e-commerce, we needed a way to ensure that payment details were transmitted securely between the website visitor and the web server. This is where SSL comes in.

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL),[1] are cryptographic protocols designed to provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

Transport Layer Security on Wikipedia

Present Day

Back in 2016 Google announced on their Chromium blog that they will be changing the indicators that show whether a page is secure and if the data that you send will be safe during transit. This started to lead the way onto a journey where, now in 2020, it is expected that all pages and data on your website should be secured with a valid certificate and using the modern TLS protocol.

Speed

As well as security, using a SSL/TLS certificate on your website also means better performance. The hyper-text transfer protocol (http/1.1) that we have been using upto 2015 was designed back in 1997 and although it did a good job, there were a lot of workarounds put in place to get the best speeds.

In 2015 the official spec for http/2 was released and with it a bunch of new optimisations to make the web work more efficiently. Although these could have been implemented either securely or insecurely by browser manufacturers (Google with Chrome, Mozilla with Firefox, Microsoft with Edge,etc) have only built it in a secure way. This means that if you want a fast loading website with the latest technology you HAVE to make it secure.

 

Always Set

One way to ensure that your website is always requested securely is to use HTTP Strict Transport Security (HSTS) which is a flag sent by your web server to tell your website visitors’ browser to only request the resources/files using the secure https protocol.

The issue with this is that you must have the initial insecure request for this to happen, that’s where the “HSTS Preload List” comes in. This is a list of sites that are hardcoded into Chrome, as well as Firefox and Edge, as being HTTPS only meaning even the first request is always secure.

This is a free service and quite easy to setup. If using the Apache web server, first you need to add the code below your htaccess file in the root directory of your hosting account. This code adds the HSTS flag on line 3, and tell the browser to remember this for the next year, then on line 4 instructs any resources requested insecurely to be upgrade to https, and finally lines 10 & 11 will redirect any request that is received via http to be redirected to https.

Once these are in place, you need to request submission to the HSTS Preload List via https://hstspreload.org/

 

Code

#Set Secure HTTP Header

<IfModule mod_headers.c>

    Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS

    Header set Content-Security-Policy "upgrade-insecure-requests;"

</IfModule>

 

#Redirect HTTP to HTTPS

<IfModule mod_rewrite.c>

    RewriteEngine On

    RewriteCond %{HTTPS} off

    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

</IfModule>

Conclusion

I hope this put you on the right track to getting your website secure, but if you still have questions why not contact us to help with your UK Based cPanel Web Hosting

« Back
Venatour Sports Travel

Encode have continually surpassed themselves in developing our new website. Their patience in learning and understanding what we needed from a website to provide the best service to our customers has been beneficial on so many levels. I would highly recommend them to anyone looking for intelligent solutions to their web, seo or business needs.

Lisa Cooley

Positive: Professionalism, Quality, Responsiveness, Value

Working with Neil is a dream; he's fast, efficient, responsive and full of website knowledge and advice. He won't baffle you with IT over load and will be honest about the best working solution.

Highly recommended!

Ellie Stevenson Author

Positive: Professionalism, Value

Encode and I had a very useful discussion about Wordpress and related issues at no cost to myself. He gave me some very helpful information and answered the questions I had.

I learnt quite a lot! Thank you.

Silvia Boev

Positive: Professionalism, Quality, Responsiveness, Value

I am very excited to work again with Neil. His attention to detail is second to none. I have seen his work in action in the past and he is great. I love his calm approach and his patient guidance to non-tech people like me. I would highly highly reccommend him!

Dr Fuz

Neil is the best! He has sorted out all our business emails and everything runs a great deal better now. Website issues are now a thing of the past as Neil has introduced a maintenance programme to ensure the site is always working optimally and any content changes are actioned pretty much immediately.

Highly recommended!!

H Scott-Brown

'Encode' provided my hosting and domain transfers. They were able to deal with the technicalities of the transfer in a particularly speedy manner, taking all the worry of the transfer, domain issues DNS and nameserver headaches as well as the migration. A couple of emails, and phone call meant it was done smoothly, swiftly and efficiently. All I can say is I'm really please they were recommended to me. Thank you

Spinner