I have a client who wants to install an SSL certificate so that it runs on his entire website. I manage the web for him but not the server, so the one who manages the server will do the installation, he contacts me telling me that if he installs SSL , he wants to know if I will make the changes on the web. But I have installed other certificates on the websites of other clients and I don't know what it refers to.
Does anyone know what he means when he tells me to make changes to the web when installing SSL ?
Website content checks
There are several things that could change when adding a certificate to a web server to offer HTTPS access:
action
You can check that the URLs of the tag fields<form>
are not absolute. Sometimes the pushes are done via function libraries likejQuery
, which might make it a bit difficult for you to find manually entered URLs, especially if the URL or generation is somewhat obfuscated (intentionally or unintentionally).Access-Control-Allow-Origin
, for example), such as external APIs (Google Maps, Google AdWords, etc) that require configuring the allowed remote URL. By switching to HTTPS those calls to external APIs might stop working.http://unapagina.com/api.js
a//unapagina.com/api.js
(the URL begins with//
to indicate that the same protocol is used).Web server configuration improvements
I recommend, in addition to the previous checks, to do the following tasks:
Previous tests
If you do not have a development environment where you can do the tests, you always have the possibility to follow these steps to test how the web will behave when you activate HTTPS:
Final considerations
It is very likely that the page works as it is when activating HTTPS (without making any changes), but that search engines have links or clients have URLs with HTTP in favorites, so you will still have users entering via HTTP even if you have the HTTPS service. activated.
This is solved with the HTTP -> HTTPS redirection on the server side.
External resources (such as images, style sheets, scripts, etc.) bound by HTTP are likely to stop working because the browser refuses to load insecure resources within a secure page.
It is fixed by changing the link to its HTTPS version or removing
http:
the URL scheme, but it is possible that the server that hosts said resource does not have HTTPS activated or has it with an invalid certificate (self-signed, for example) that keeps preventing it from loading . Contact the provider of that resource for a solution or, if it's a static resource, download it (if you have a license or permission to do so) and link to it on your own server.Almost all web applications (forums, content managers, etc.) have a control panel where you can activate various parameters such as HTTPS access, force the use of HTTPS, etc. Search the documentation of the provider of said application to consult everything related to the subject or contact their support for information.
When using some APIs (such as Google Maps, hit counters, advertisements, etc.) you must explicitly authorize the URL(s) that can use the API with a certain
clave de API
(API key
). Some use only domain names and are agnostic to the scheme used (http:
orhttps:
) but it could be that other APIs stop working. Again, I recommend you read its documentation or review its configuration to see if they allow you to activate it or add two URLs, with and without HTTPS.