To HTTP or to HTTPS your Joomla Site

To HTTP or to HTTPS your Joomla Site? There is no longer any debate on this age-old question, the evidence out there definitely says you should use HTTPS on all your websites, Joomla or otherwise, even if they don’t handle sensitive communications. Not only has HTTPS become a requirement for many of the new web browsers and progressive web apps, it provides security and data integrity for both your Joomla website and your users’ personal information.

The Long Journey

When a user visits your Joomla site, they use a browser that then sends a request to your web server. The browser software is probably safe on their side, and you (hopefully) have secured your web server. So all things look good, right? But just like in the old west, the danger the Pony Express faced were the open fields between. That’s right, there are open fields that your website data travels across to get to the visitor’s browser, and that is where HTTPS steps in and saves the day by preventing outlaws from stealing your data. These outlaws come in many variations, like illegal hackers, and even legal companies that inject ads into your pages on their journey to the user’s browser.

All the data that travels to your visitor is a resource that can be affected, not just the HTML of your site, but also images, scripts, cookies, etc. And the journey is long with many stops including the ISPs, WiFi hotspots, even down to the user’s machine that might have already been infected.

HTTPS for Journey Protection

First, it might be helpful to have a basic understanding of what HTTPS (HTTP over SSL or HTTP Secure) is and does. HTTPS uses the Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. Imagine an underground tunnel. HTTPS encrypts and decrypts user requests as well as the information that is returned by the server.

Basically, when your user requests information, it’s encrypted on the server end, then sent via the secure socket layer to the user browser where it is then decrypted, so it can be read or processed.

Using HTTPS protects against eavesdropping and man-in-the-middle attacks as your information makes the journey to the end user.

Use of HTTPS will Only Grow Over Time

Before data was as abundant, it was common practice to only use HTTPS when you were doing e-commerce sites or handling sensitive communications. But, as technology has progressed, many user requests that aren’t protected with HTTPS can potentially reveal information about the users, such as their health condition through reading unprotected health information sites, behaviors, and even their personal identification information.

To encourage all sites to use HTTPS, Google has now started prioritizing HTTPS URLs over regular HTTP ones, even if they don’t have links pointed to them.

User permissions are going to be an essential part of new types of applications and APIs on the web. Requiring explicit permission from the user before executing is where HTTPS comes into play. Even older APIs are being updated to require permission to execute, such as social media APIs and GeoLocation APIs.

Setting your Joomla Site to HTTPS

There are a few ways you can set Joomla to HTTPS.

Global Configuration>Server

In the Force HTTPS dropdown, you have three options, to make your public side also force to https, choose Entire Site.

Set it in your htaccess file with this code:

 RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L] Redirect permanent / https://www.yourdomainname.com

You can get more complex with the code in your htaccess. The Joomla docs have a good writeup on this here.

Depending on your hosting company, they normally give you the ability to force everything on your hosting server to https from the control panel, this would also include your Joomla site.

Third Party Verification – the Security Certificate

Please be aware that you will need to first install a Security Certificate (SSL) on your server, otherwise the browser will give your visitors a warning message that the site is running in secure protocol, but hasn’t been verified through a third party with a certificate. There are many options out there, and typically your host will offer them through your control panel. Let’s Encrypt free certificates have become go tos for many.

Interested in learning more about Joomla? Check out our variety of courses about Joomla and Joomla-related topics.

Author

Robbie Adair

Robbie started her career in corporate training until starting her own custom training and media company almost seventeen years ago. In 2010, she began doing classroom training for OSTraining while running Media A-Team. She is often presenting about various tech topics such as Joomla, Fabrik, Web Development, Social Media, and Augmented Reality. She loves seeing that "ah-ha" moment in peoples eyes in her sessions and workshops. She lives in Houston, Texas, but enjoys all the travel for client work and speaking gigs.

View all posts

You're using the paragraphs module? I'm not sure that's possible - have you looked at the Feeds module? https://www.drupal.org/docs/contributed-modules/feeds-paragraphs

Hi, there is a way to insert data into an Entity reference revision field ? I have a node with…

Hey Ed - totally agree. We'll get that in the next draft of the workflow. thanks!

Also, should consider website translation workflow in a Drupal site. Whether it be utilization of a plugin or using a…

Hey nstocco - that's the subject for an entire course :). Yes - the best practice is to use Git…