HTTPS and TLS/SSL
HTTPS is the standard way that web browsers communicate with web servers. HTTPS ensures that all communications between browser and server are encrypted. Whilst HTTPS was previously considered optional alternative to HTTP, it is now increasingly expected for all websites, and popular browsers such as Google's Chrome will label sites that use HTTP rather than HTTPS as "insecure".
HTTPS hosting is also sometimes referred to as TLS or SSL hosting, or simply as a "secure website".
Enabling HTTPS is easy to do for websites hosted on one of our hosting accounts, and we recommend enabling it on all sites.
Enabling HTTPS on your website
- Go to the Web and Email Hosting section of the Customer Control Panel.
- Select your hosting account, if you have more than one.
- Click the Web Settings link for the domain that you wish to enable HTTPS for
- Select one of the three Enable TLS options under Security. The different modes are described in more detail below.
Afer a couple of minutes, your website should become available on an https://
URL. If you selected one of the "redirect" options, your browser should be
automatically redirected to the secure version of your website. HTTPS sites
are usually indicated with a padlock next to the site address in a web browser.
"www" and "bare domain" sites
Websites are traditionally served on a "www" hostname, e.g. www.example.com. It is also common to make sure that a website can be found without the "www" prefix, e.g. as example.com. It is recommended that one of these variants is configured to redirect to the other, although which way round this redirect is applied is a matter of personal preference.
These two variants are treated as separate websites in our control panel, and you should separately enable HTTPS hosting for both of them.
Available HTTPS modes
When enabling HTTPS for your site, you can select one of following modes:
- Disable TLS - this completely disables all requests over HTTPS, and should only be used if HTTPS cannot be used at all for your site.
- Enable TLS - this enables TLS, but still allows for plain HTTP connections. This means that depending on if users enter "http" or "https" into their browser, TLS may or may not be used. We would normally recommend against this.
- Enable TLS and redirect to https: - this means that if a user enters, or follows a link to, an insecure "http" URL, they will be redirected to the secure version of your site. Therefore, all requests to your site should be secure. We would normally recommend this option.
- Enable TLS, redirect to https: and enable HSTS - this works similarly to the previous option, but enforces the redirect in future; you can read more about this below.
HSTS
The fourth option is to enable HSTS (HTTP Strict Transport Security). This means that when a client visits your website, a header will be added to the response requesting that the browser only makes secure connections in the future. This means that if someone is able to pretend to be our server (e.g. on a public WiFi connection), the connection will still be forced to go over HTTPS, and as they will be unable to provide a valid certificate, the connection will fail. The HSTS header indicates how far into the future a browser should insist on HTTPS for the site. We currently specify a period of 14 days.
You should only set up HSTS if you are confident that you will continue to provide your site over HTTPS. Therefore, you should test your site thoroughly using one of the other HTTPS modes before enabling this mode.
If you are especially concerned about your site being impersonated, you can also apply for HSTS preloading. This means that your domain is included in a list shipped with various browsers, and HSTS will be enabled by default. Again, as with above, please be aware that this is very difficult to disable, so do not do so unless you are certain you can provide both your domain and all subdomains over HTTPS forever.