I just tested Let’s encrypt with Kirby on a test domain and both these versions worked out of the box:
http://example.com
https://example.com
I’ve tried them both in the panel and on the frontend and it works. Before I move to https for my real live sites, are there anything I need to be aware of? What can go wrong?
I mean that way it will redirect even before Kirby has been loaded?
3. Drop in search engines because of redirects?
Now I’m supposed to be the SEO expert here, but I don’t have an answer to this one.
If I redirect all trafic to https, then I will probably lose some link power because of the redirect. Because the domain has a new url, then it has to start all over with getting trust etc? Or is https and http seen as the same domain? Or as two?
If I go from www to not www, it often leads to a ranking drop because www is a sub domain, which is seen as another domain that way.
It’s totally ok if you just have the answer to one of these questions.
I also used lets encrypt to move the page (https://digitalmediadesign.io/) to https and didn’t get any errors or problems when doing so.
I used the .htaccess file for the redirect.
For the search engine I am not sure how google handled it. However it gets just listed as https now but I am not sure how it got updated in the ranking.
I think the biggest thing is that you have to make sure that you don’t have mixed content. So for the site I moved to https there where just some cdn’s that needed to be loaded via https but all other content like pictures are all on the server. If you got pictures thet get referenced from the web then you should make sure that they are all coming from https too (but I think you know that already ;))
Before I did not know about the https restriction of external assets. I’m very newbie in this topic.
What I think I will do is test my live sites in https test domain first, before doing it live.
About the SEO part, no one seems to know how it affects. It says very little, even in the SEO sites. They just say like “Do it!” so I guess it’s just go for it and never look back…
For external resources (such as libraries hosted on cdnjs), if they’re available both on http and https, I just load the HTTPS one. It’s perfectly fine (and probably better from a security point of view) to load JS resources from different domains on HTTPS always, even from a HTTP page.
Ahh. I don’t even usually rewrite the javascript that comes from external assets like Google Analytics or Google Fonts, but I think you have a point. Maybe more secure, less to load and less to do saves som bytes and loading time as well. Probably not noticeable, but anyway.
New sites I build are always HTTPS-only. Adding in HTTPS support later on can lead to all sorts of issues. It just makes sense to use HTTPS and with Let’s Encrypt it’s also free and easy to do.
Yeah, but the point was to always use the more secure one. There’s virtually no penalty in requesting the HTTPS resource. See the update on this post: The Protocol-relative URL.