Enable HTTPS: certificates, redirects, and HSTS

Modern visitors expect the lock icon. Search engines reward it. Browsers enforce it. This guide shows how to move a site to HTTPS without surprises, and how to keep it secure over time.

Why HTTPS matters

HTTP sends everything in clear text. HTTPS encrypts traffic, protects cookies, prevents content tampering, and unlocks modern features like HTTP/2 and Service Workers. It is also a ranking signal and a trust signal for users.

Background: what you actually need

• A valid TLS certificate issued for your domain (and subdomains you use)
• A server (or CDN) configured to serve HTTPS
• A redirect from HTTP to HTTPS
• Optional but recommended: HSTS to force HTTPS in the browser
• No mixed content (no HTTP assets on HTTPS pages)

Step-by-step guide

1) Get a certificate

Let’s Encrypt (via ACME) provides free, automated certificates. Use the best‑supported client for your stack (e.g., Certbot, win-acme, acme.sh).

# Nginx (Ubuntu) with Certbot
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --nginx -d example.com -d www.example.com --redirect

# Apache
sudo apt install python3-certbot-apache
sudo certbot --apache -d example.com -d www.example.com

Free Cloud and CDN certificate options:

• Cloudflare: Full (strict) TLS and edge certificate
• AWS: AWS Certificate Manager with CloudFront/ALB
• Azure: App Service managed certificate

Keep certificate renewal automatic and monitored, to make sure that the certificate does not expire.

2) Enable HTTPS and redirect HTTP → HTTPS

Nginx

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://example.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name example.com;

  ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  # Security headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

Apache

<VirtualHost *:80>
  ServerName example.com
  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

IIS

1. Bind the certificate in IIS Manager → Site → Bindings → https
2. Add a URL Rewrite rule: HTTP → HTTPS 301 redirect

Next.js

Edge/CDN/server redirects are preferred. For an app‑level fallback in Next.js, use:

// next.config.mjs
export default {
  async redirects() {
    return [{ source: '/:path*', has: [{ type: 'host', value: 'example.com' }], destination: 'https://example.com/:path*', permanent: true }];
  },
};

3) Remove mixed content

Mixed content breaks HTTPS and user trust. Review and upgrade all HTTP assets to HTTPS.

• Use protocol-agnostic or explicit HTTPS URLs for all embedded assets such as images, stylesheets, scripts and iframes
• Fix hardcoded http:// in templates, CSS, and JS
• Update CDN/library URLs to HTTPS versions
• Avoid protocol-relative URLs (//), instead explicitly use https://

Temporary safety net:

Content-Security-Policy: upgrade-insecure-requests

Use with care; it hides problems where HTTPS rewrites are unavailable. Prefer real fixes. Read Fix mixed content for more.

4) Turn on HSTS

HSTS tells browsers to only use HTTPS for your website and, with preload, to hard‑code this in browsers.

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Apache (mod_headers)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

IIS (web.config)

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Cloud/CDN

• Cloudflare: Rules → Transform or Response header rules → add Strict-Transport-Security
• AWS CloudFront: add a response header policy with Strict-Transport-Security
• Fastly: set resp.http.Strict-Transport-Security in VCL

Preload checklist

1. 1) All traffic works on HTTPS (including subdomains)
2. 2) Permanent redirects are in place
3. 3) You accept that browsers will enforce HTTPS even if you misconfigure later

When ready, you may optionally submit your website to the preload list: https://hstspreload.org

Testing and validation

• curl -I https://example.com to verify redirects/headers
• Browser DevTools → Security tab
• Barrion: Automatically run HTTPS, HSTS and certificate checks in the Barrion dashboard

Common mistakes

• Redirect chains (HTTP → www HTTP → HTTPS), instead of using single hop
• Let’s Encrypt renewal misconfigured and/or not monitored
• Forgetting subdomains in HSTS
• Mixed content left in CSS or inline scripts

Advanced tips

• Prefer TLS 1.3 and modern ciphers (see TLS 1.3 upgrade guide)
• Use a CDN for edge TLS and performance
• Set up continuous monitoring in the Barrion dashboard, which includes security checks for HTTPS, HSTS, certificate cipher suite, and certificate expiry

Conclusion

Move to HTTPS methodically: obtain a certificate, configure to use HTTPS, fix mixed content, enable redirects, then add HSTS. Test thoroughly and keep it monitored. Set up automated monitoring in Barrion for HTTPS, HSTS, and certificate checks including cipher suite and certificate expiry.

Next step: Sign in and run a scan in the Barrion dashboard. You can also validate your TLS setup quickly with the TLS/SSL Security Checker.