Securing your self-hosted website with Let’s Encrypt, part 5: I have HTTPS, and now what?

In part 4, we looked at hardening default configurations and avoiding known vulnerabilities, but what other advantages are there to having our sites run HTTPS?

First, a recap of what we get by using HTTPS:

  • Privacy – no one knows what are your users accessing
  • Integrity – what is sent between you and your users is not tampered with at any point*

*unless the uses’ computers are infected with a virus or some kind of browser malware that modifies pages after the browser has decrypted them, or modifies the content before sending it back to the network via the browser–Remember I said that security is not 100% guaranteed? Sorry to scare you. You’re welcome 😎

So that’s cool, but there’s even more!

HTTPS-only JS APIs

Most of the newest platform features are only available if served via HTTPS, and some existing features, such as GeoLocation or AppCache, will only work if served under HTTPS too. For example:

  • Service Workers
  • Push notifications
  • Background sync
  • Adding to home screen
  • WebRTC

While this is ‘annoying’, because it complicates web development and makes it less accessible than it used to be (“just place some files on a folder and bam, you’re done!”), it also makes sense to allow their usage over HTTPS only, because at the same time that  these APIs add more power to the web platform, they are also capable of exposing more private data from users than the pre-HTML5 APIs, if stuff is transmitted over HTTP.

You can read about the reasoning behind this move in the Secure Contexts specification.

Hopefully, Let’s Encrypt will help making HTTPS universally available for everyone–not just those fortunate enough to have the time and money required to obtain and install digital certificates.

Coming up next: WordPress considerations, and cool things you can do with WordPress and HTTPS.