1 - What do I need to know? Pitfalls

I just tested Let’s encrypt with Kirby on a test domain and both these versions worked out of the box:

http://example.com
https://example.com

I’ve tried them both in the panel and on the frontend and it works. Before I move to https for my real live sites, are there anything I need to be aware of? What can go wrong?

I don’t use any “static” urls or paths.

2. Redirect with config or htaccess

I saw this one:

https://getkirby.com/docs/cheatsheet/options/ssl

But is it even better to use htaccess?

http://www.inmotionhosting.com/support/website/ssl/how-to-force-https-using-the-htaccess-file

I mean that way it will redirect even before Kirby has been loaded?

3. Drop in search engines because of redirects?

Now I’m supposed to be the SEO expert here, but I don’t have an answer to this one.

If I redirect all trafic to https, then I will probably lose some link power because of the redirect. Because the domain has a new url, then it has to start all over with getting trust etc? Or is https and http seen as the same domain? Or as two?

If I go from www to not www, it often leads to a ranking drop because www is a sub domain, which is seen as another domain that way.

It’s totally ok if you just have the answer to one of these questions.

I think you know my preferred route by now:

1. server configuration (if possible)
2. htaccess

And here is are some articles that seems to cover quite a few of the pitfalls/things to consider:

• http://searchengineland.com/http-https-seos-guide-securing-website-246940
• http://www.clickseed.com/seo/http-https-migration-guide

I also used lets encrypt to move the page (https://digitalmediadesign.io/) to https and didn’t get any errors or problems when doing so.

I used the .htaccess file for the redirect.

For the search engine I am not sure how google handled it. However it gets just listed as https now but I am not sure how it got updated in the ranking.

I think the biggest thing is that you have to make sure that you don’t have mixed content. So for the site I moved to https there where just some cdn’s that needed to be loaded via https but all other content like pictures are all on the server. If you got pictures thet get referenced from the web then you should make sure that they are all coming from https too (but I think you know that already ;))

I redirect to https in nginx, that would be in your htaccess using apache. I want those kind of redirects to happen even before kirby does anything.

When I switched to https I redirected all pages with a 301 and I didn’t notice any drop.

About the external assets I nowdays only use Google Fonts. I try to avoid large frameworks etc.

I think Google Fonts is safe out of the box. It looks like the https is taken care of:

wf.src = ('https:' == document.location.protocol ? 'https' : 'http') + '://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js';

Before I did not know about the https restriction of external assets. I’m very newbie in this topic.

What I think I will do is test my live sites in https test domain first, before doing it live.

About the SEO part, no one seems to know how it affects. It says very little, even in the SEO sites. They just say like “Do it!” so I guess it’s just go for it and never look back…

Thanks!

Absolutely! (and some more characters)

For external resources (such as libraries hosted on cdnjs), if they’re available both on http and https, I just load the HTTPS one. It’s perfectly fine (and probably better from a security point of view) to load JS resources from different domains on HTTPS always, even from a HTTP page.

When I can be bothered, I take this kind of code:

wf.src = ('https:' == document.location.protocol ? 'https' : 'http') + '://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js';

and just fix it:

wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js';

Ahh. I don’t even usually rewrite the javascript that comes from external assets like Google Analytics or Google Fonts, but I think you have a point. Maybe more secure, less to load and less to do saves som bytes and loading time as well. Probably not noticeable, but anyway.

As google moves more and more toward forcing the use of https I think you are in a save spot. I guess it gets appreciated by google if you https

Just recently they announced that they want to start warning the users about unsecured websites on visit.

Just recently they announced that they want to start warning the users about unsecured websites on visit.

Yes, it’s not a coincidence that I’ve rushed into this now. The clock is ticking.

New sites I build are always HTTPS-only. Adding in HTTPS support later on can lead to all sorts of issues. It just makes sense to use HTTPS and with Let’s Encrypt it’s also free and easy to do.

I strip the first part and only use ‘//url.tld’ on a http site you get http://url.tld on https the https version.

Yeah, but the point was to always use the more secure one. There’s virtually no penalty in requesting the HTTPS resource. See the update on this post: The Protocol-relative URL.