Use https across your website

What it is

You’re probably familiar with the http at the start of a URL, but you may not be as familiar with HTTPS. The added 's' stands for secure. This means the website uses a protocol called transport layer security (TLS) to encrypt information going between the site and the visitor's computer. This means that if an attacker intercepts this information, they can’t read or change it.

You may also hear people refer to SSL, which is an outdated version of TLS.

How it works

You can tell when a website’s information is encrypted by looking at the address bar at the top of your browser. Depending on which browser you use, there may be a padlock on the left or right of the address bar, and often the word 'secure' next to it.

To protect your customers, https should be enabled across your entire website, including on:

content pages
the content management system (CMS) where you update your website
the control panel (where you login)
forms, particularly those collecting customers' personal information.

HTTPS means that a customer's connection with your website is secure – not the website itself. Read our guide to find out how to keep your website safe.

Protect your website

The risks

If your site uses HTTP instead of HTTPS, an attacker could do things like:

appear to change your website's content – giving customers false information
steal information customers submit to your website, including login details, personal information or financial details
insert ads or malware into any of your webpages without your knowledge. Your customers could also unintentionally download this malware to their computers.

These types of attacks are known as a 'man-in-the-middle' attack.

Man-in-the-middle-attack – Wikipedia

Why HTTPS matters – web.dev

Why it matters

There are several benefits to adding https to your website, and it doesn’t cost much to implement.

Trust in your website

Customers know that a website with a padlock is more trustworthy than one without.

Limited browser warnings

If your website doesn’t have HTTPS, your visitors may get a warning message telling them that your site is not secure.

For example, when you visit a website or web page that doesn’t use HTTPS on Chrome, it warns you that the connection isn’t secure. A 'not secure’ message displays in the address bar next to the URL.

Improved security

Information on a webpage goes through several points between a browser and a web server. An attacker could intercept the information at any of the points along this path. By encrypting the information using TLS, you can stop an attacker from:

stealing your customers' data, or
putting their own data onto your website.

Better search ranking

Search engines include the use of HTTPS as a factor when they’re ranking your website in search results – so using HTTPS gives your website a boost in search results over similar sites that don’t.

As more sites implement HTTPS over time, it’ll become obvious if your website doesn’t have it — and it’ll be harder for your customers to find.

How to protect your website

To make your website use TLS you’ll need a digital certificate, called a TLS certificate. It's sometimes called an SSL certificate too. Some issuers of TLS certificates can even issue you one for free.

If you have a technical support person, talk with them about moving to HTTPS. If you manage your own website, ask your hosting company if they provide SSL/TLS certificates. If they do, they can probably help you implement it.

They’ll need to:

get and implement an SSL/TLS certificate for you
add a permanent redirect to your site (from HTTP to HTTPS), and
update any links to third party scripts to include HTTPS.

You’ll need to:

update any links inside the content to include HTTPS. This includes links to images, downloads and tools
set a reminder for a month before the certificate expires – this will make sure you renew it in plenty of time, and avoid letting it run out.