Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Implementing TLS for your websites, apps, services, and API is easier than ever with tools like Let’s Encrypt now in wide use. There’s no reason not to join the party!
Finding and Fixing Mixed Content Errors
When a link is added with a FULL PATH, make sure it starts with HTTPS://.
Use the Content-Security-Policy-Report-Only header to monitor mixed content errors on your site.
Use the upgrade-insecure-requests CSP directive to protect your visitors from insecure content.
Checking Your Resources
Double check your site for insecure "mixed content" warnings. Here is an example of mixed content
Here's a simple tool that will tell you about any insecure items on your SSL page! whynopadlock.com
Chrome Developer Tools
- Open Developer Tools: View > Developer > Developer Tools
- Go to the "Security" tab
- If there are any errors or warning make sure the "Console" is open by clicking the errors or warnings in the top right. This will give you detail about which resources have issues
Firefox Developer Tools
- Open Developer Toolbar: Tools > Web Developer > Developer Toolbar
- Expand the toolbar by clicking any error
- Choose the "Console" tab to see details of insecure content
- Self-Signed Certificate: a self-signed certificate is an SSL certificate that is not signed by a trusted, central authority in the SSL/TLS certificate ecosystem.
- Nginx and Apache: two of the more popular web server/proxies that you can run a web app over.
Added Security Note
Sometimes you may still receive a warning when all resources are being loaded via https. One possible culprit is a server that supports outdated security protocols. whynopadlock.com will also give you warnings about out dated protocols.
How to get SSL/TLS certificates for Nginx on Ubuntu with Let’s Encrypt, by Mitchell Anicas
How to get SSL/TLS certificates for Apache on Ubuntu with Let’s Encrypt, by Erika Heidi
We've now seen how TLS works in practice, so let's see how to implement it.
Typically, insuring your site uses HTTPS
requires purchasing certificates for your domain thru a certificate provider.
Such as the place where you registered or host your domain.
Creating your own certificate is also possible using the most popular
open-source library that implements the SSL and TLS protocols, OpenSSL.
OpenSSL is the de facto TLS implementation and
runs on millions of servers, personal computers, and mobile devices.
However, when you create a certificate with OpenSSL, in
most cases you will end up creating what is known as a self-signed certificate.
This means that your certificate is not verified by the central authorities
on the Internet, who work together to keep the Internet's HTTPS
ecosystem safe and functional.
When you do this, web browsers will see your server's self-signed certificate and
will often show a warning that this site is not totally secure.
You may have seen this in your own web browser,
and it definitely can turn users away.
Because of this most developers purchase certificates from authorities that provide
certified and trusted certificates, that you can install on your domain.
Thankfully, there are now more options for doing this.
Two of the most popular choices are Let's Encrypt and
content delivery networks, such as Cloudflare.
Let's Encrypt was launched in 2016 and is a partnership between many
prominent Internet companies, including Akamai and Cisco Systems.
Let's Encrypt now offers three trusted certificates that you can install on your
own application's services and APIs using a simple command-line interface.
Let's Encrypt also allows you to configure the certificates to renew automatically.
And there is virtually no limit to the number of certificates
that you can register.
Let's Encrypt is quickly becoming the new standard by which to protect your domains
This is what we recommend learning.
To learn more about Let's Encrypt check out the teacher's notes for
Another option is going through a content delivery network or
CDN provider, such as Cloudflare.
Cloudflare and other services allow you to configure your domains DNS settings.
They will additionally encrypt all traffic between your users and your server
with TLS, as well as all traffic between your server and Cloudflare.
CDNs, such as Cloudflare, also offer many other perks.
Rate limiting and firewall protections can speed up your web applications and
protect against DDoS attacks.
To get started with Cloudflare just go to cloudflare.com,
where you can add TLS to an unlimited number of your own domains for free.
If you want more advanced protections and features you can pay for upgraded plans.
Implementing TLS is a broad topic and though we won't cover everything here,
we encourage you to explore additional information in the teacher's notes.
You should also check out both Let's Encrypt and Cloudflare.
With cost and ease of use no longer an issue and
the increase in cyber attacks, you should always secure your websites.
If those reasons aren't incentive enough,
remember that Google ads priority to websites using HTTPs.
Many hosting providers offer TLS encryption as an opt-in service, so
that can be an even easier way to get started.
One last thing about TLS,
you'll want to be sure that all the content of your site is encrypted.
That includes media files, third party scripts, and all other content.
For more information check the notes associated with this video.
You need to sign up for Treehouse in order to download course files.Sign up