3 simple tips to using SSL everywhere

By John-Daniel | Posted Jan 8, 2018 | 3 min. (629 words)

The Raygun app site has always enforced SSL, but recently we applied it to our entire website, including the public site & blog, so that we use SSL everywhere.

As an added benefit, shortly after we did that, Google announced they would give a slight ranking bonus in search results for secured pages! I expect we’ll see a lot more sites enforcing SSL everywhere going forward. It’s great for security but there are some gotchas for web developers to be aware of when transitioning an existing website to SSL everywhere.

1. Redirect properly

When somebody request a non-secured URL, say https://raygun.com, you’ll need to redirect them to https://raygun.com. Seems simple enough right?

The trick here is that most of the time you’ll find redirects are 302 redirects (this was the case for us with haproxy). The issue with that is that a 302 is a Temporary Redirect. What you want is a 301 Permanent Redirect.

Why does this matter? Google. Google is why this matters.

Google looks at how many links you have as one of the many ways of ranking your site. Lets say you build 5000 links to https://raygun.com. Then you switch over to HTTPS for everything. Now you build 3000 links to https://raygun.com. If you only do a 302, Google will NOT pass any of the link value through to the HTTPS version of the page – you look like you only have 3000 links – you’re splitting the Google link juice across two URL’s in the eyes of the almighty Google. With a 301 redirect, it looks like 8000 links to https://raygun.com and helps your rankings.

This is a common mistake since many systems will default to a 302 temporary redirect. Your marketing team will thank you for getting this right 🙂

Create a new Google Webmaster Tools site

You use Google Webmaster Tools right? If not, you should – it’s where you can get diagnostics from Google about your site in their index. It’s where you can discover if you’ve done something wrong and helps keep you sane.

The interesting thing however is that Google Webmaster Tools appears as though a site is just the domain (e.g. raygun.com), rather than protocol specific. Actually it is protocol specific! There’s some poor user experience here because here’s how the “New Site” page looks: [[TODO: PIC ]]

Looks like you can’t specify the protocol right? Wrong!

Put the full address in, e.g. https://raygun.com

If you don’t add the HTTPS version of your site as a new property, suddenly your search volume data will look like you’re getting no search volume at all! Some parts of Google Webmaster Tools understand thats sites can have two protocols, but some parts don’t (like the search volume page).

I’d freaked out that our search volume had fallen off a cliff – from thousands a day, to less than 10! I thought I’d done something wrong, but it was just this issue with GWT.

Save the heart attack and just create two sites – for the secured and non-secured versions of the domain.

Protocol agnostic links

Lastly, and maybe this is just me showing my age, but you can use links in various places that will inherit the protocol of the page.

For example:

<script type="text/javascript" src="//use.typekit.net/fonts.js"></script>

The starting double slash means that this link will use whatever protocol the page is currently using (https or http). No need for you to do detection yourself! In the lead up to securing your entire site, you can start updating links to use this approach, or just force them to use https.