HTTP/HTTPS

For a basic overview, you can check howhttps.works

At work, we ensure that all sites we are deploying live have HTTPS enabled. Apart from security, it is a requirement for better search ranking.

This means we need to make sure that whatever we are building, needs to work with HTTPS.

Most hosting companies and server management tools use Let’s Encrypt to enable free TLS certificates for sites.

For situations where the host server has challenges installing a HTTPS certificate, Cloudflare flexible SSL offers another option for enabling DNS at the domain name server level.

HSTS

HSTS – HTTP Strict Transport Security is a security policy mechanism that helps websites against man-in-the-middle attacks such as protocol downgrade attacks (HTTP) and cookie hijacking. Basically it allows the web servers to declare that web browsers should interact with the servers using the HTTPS (secured) connection only. Web servers implementing HSTS policy supplies the header(HSTS header over HTTP are ignored) over a HTTPS connection.

When web application issues HSTS policy to user agents, it can either automatically turn the insecure (http://) links to secure (https://) links, or if security of the connection can’t be secured, user agent will terminate the connection.