October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Migrating to HTTPS

Eric Lawrence (Google)
4:45pm–5:25pm Tuesday, 11/01/2016
Tools and processes
Location: Trianon Ballroom Level: Intermediate
Average rating: ****.
(4.67, 3 ratings)

Prerequisite knowledge

  • A basic understanding of web development

What you'll learn

  • Understand why migrating to HTTPS is crucial and why the urgency is increasing


In 2015, 45 percent of households refrained from online activities due to security or privacy worries, and for good reason—snoops and active attackers mean our networks are increasingly hostile. Protecting users and their information requires HTTPS on every page of every site. Browsers have started limiting powerful features like geolocation and service workers to pages served over HTTPS, and before long they’ll actively warn users when visiting nonsecure pages.

Fortunately, moving sites of any size and complexity to HTTPS is easier than ever. Certificates can be acquired automatically at no cost, new protocols like HTTP/2 and Brotli compression mean that secure connections can improve performance, and web developers can utilize features like upgrade insecure requests and referrer policy to avoid common pitfalls as they upgrade to HTTPS.

Eric Lawrence offers practical advice to defuse common concerns about migrating to HTTPS, including cost, performance, advertising and CDNs, search engine optimization, and errors and mixed content. You’ll learn to optimize your configuration with automatic configuration checkers, HTTP strict transport security, cipher suites and certificate chains, referrer policy, upgrade insecure requests, and public key pinning. Along the way, you’ll learn why HTTPS is the only way to meet users’ security and privacy expectations and allow the Web to attain its full potential.

Photo of Eric Lawrence

Eric Lawrence


Eric Lawrence is a senior software engineer on the Google Chrome Security team, working on the #moarTLS effort. Eric is passionate about building tools to help developers and testers build better web applications. He built the Fiddler Web Debugger and spent a dozen years at Microsoft working on the Office Online and Internet Explorer engineering teams. You can find him on Twitter as @ericlaw and on his blog, Textslashplain.

Comments on this page are now closed.


Picture of Eric Lawrence
Eric Lawrence
10/27/2016 1:14pm EDT

I hope to see you at my Session!

I’ll also be running “Office Hours” in the morning break on Tuesday, so if you have questions or experiences to share about moving your sites to HTTPS, I’d love to meet you.