In 2015, 45 percent of households refrained from online activities due to security or privacy worries, and for good reason—snoops and active attackers mean our networks are increasingly hostile. Protecting users and their information requires HTTPS on every page of every site. Browsers have started limiting powerful features like geolocation and service workers to pages served over HTTPS, and before long they’ll actively warn users when visiting nonsecure pages.
Fortunately, moving sites of any size and complexity to HTTPS is easier than ever. Certificates can be acquired automatically at no cost, new protocols like HTTP/2 and Brotli compression mean that secure connections can improve performance, and web developers can utilize features like upgrade insecure requests and referrer policy to avoid common pitfalls as they upgrade to HTTPS.
Eric Lawrence offers practical advice to defuse common concerns about migrating to HTTPS, including cost, performance, advertising and CDNs, search engine optimization, and errors and mixed content. You’ll learn to optimize your configuration with automatic configuration checkers, HTTP strict transport security, cipher suites and certificate chains, referrer policy, upgrade insecure requests, and public key pinning. Along the way, you’ll learn why HTTPS is the only way to meet users’ security and privacy expectations and allow the Web to attain its full potential.
Eric Lawrence is a senior software engineer on the Google Chrome Security team, working on the #moarTLS effort. Eric is passionate about building tools to help developers and testers build better web applications. He built the Fiddler Web Debugger and spent a dozen years at Microsoft working on the Office Online and Internet Explorer engineering teams. You can find him on Twitter as @ericlaw and on his blog, Textslashplain.
Comments on this page are now closed.
©2016, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com