Home > IT > HTTPS everywhere

HTTPS everywhere

Thursday, June 18th, 2015

TL;DR CloudFlare is awesome, but don’t underestimate the effort required to fully switch your site to HTTPS

About time… That’s what I keep telling myself; my site won’t be considered insecure by default :)

I’ve finally switched this site to HTTPS and I must say that CloudFlare has made this extremely easy, straightforward and fast.

Now I’ll be able to have fun with Service Workers and other modern Web goodies that require HTTPS.

Here’s what I had to do in order to get the holy green padlock.

First I had to create a (FREE) account on CloudFlare. Once my account was created I entered the domain that I wanted to add and CloudFlare went about finding all the DNS zone entries it could find. That took about a minute and the result was correct.

Next, I had to modify my domain’s DNS zone name servers to replace the OVH ones by those of CloudFlare. It didn’t take long for the switch to actually take place. DNS replication ain’t the fastest of things.

And bam done.. or almost.


As I like tweaking stuff, I had to check out all the features provided by CloudFlare, and the least I can say is that the feature list included in the free tier is just plain impressive!

Here’s what I’ve enabled:

  • SSL w/ SPDY: SSL between clients and CloudFlare as well as between CloudFlare and OVH (although the certificate presented by OVH isn’t trusted it’s still better than nothing)
  • IP firewall: basic but nice given the price :p
  • Automatic minification of JS/CSS/HTML assets
  • Caching
  • Always online: awesome, they’ll continue to serve my static content even if the site goes down
  • A few other nice things

They also provide ways to purge their cached data and to enable a Dev mode that allows to access up-to-date resources, etc

In the future, if I’m convinced that I can keep my site HTTPS-enabled for long, then I’ll also enable HSTS.

I might also give their Rocket Loader feature a try…


Enabling HTTPS for my site is only the first part of the story; there were other changes I needed to make in order to get the almighty green padlock (TM).

I first needed to make sure that my visitors (you guys) visited the site using HTTPS, so I’ve updated my .htaccess file accordingly:

...

RewriteEngine On

# 2015-06-18 - Automatic redirection to https now that CloudFlare is enabled
RewriteCond %{HTTPS} off
# rewrite to HTTPS
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# rewrite any request to the wrong domain to use www.
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

...

With this, I have an automatic http to https redirection. Of course that isn’t going to protect you from MITM attacks but I’m not ready to enable HSTS just yet.


Next I had to update my WordPress configuration to ensure that all generated links use HTTPS (WordPress address & Site address URL).

This fixed a few issues with mixed content but not all of them. I had to go through all my template’s files to ensure that I was using https everywhere; namely I had hardcoded the URL of my FeedBurner RSS feed.


I also noticed that I was still getting errors in the console about mixed content and indeed my site was retrieving some resources using plain HTTP from other domains.

In order to fix this, I had to

  • use my very rusted SQL-fu to replace http by https at all the places it made sense in my posts (e.g., links to Google Photo images, links to my own site, etc)
  • modify one of my WordPress extensions to retrieve its scripts from Google’s CDN using HTTPS
  • get rid of an extension that was using iframes, swf objects and displayed warnings if Flash was missing (oh god..) =)

I also took the opportunity to configure CORS, also through my .htaccess:

...

RewriteEngine On
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
...

...

And now, just look at this beauty:

Green beauty

If you enjoyed this post, make sure you subscribe to my RSS feed!

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment