Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Introduction to Application Security

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Implementing TLS for Web Apps

4:16 with Alena Holligan and Jared Smith

Implementing TLS for your websites, apps, services, and API is easier than ever with tools like Let’s Encrypt now in wide use. There’s no reason not to join the party!

Finding and Fixing Mixed Content Errors

When your web application is severed over HTTPS, you should make sure that all resources (Images, CSS, JavaScript) are linked to a secure source. If there are resources being served over an insecure connection, your visitors may see a "mixed content" warning. These include both internal and external (3rd Party) sources.

  1. When a link is added with a FULL PATH, make sure it starts with HTTPS://.

  2. Make sure all request are always served over HTTPS. This can be done on the server (apache, EngineX, IIS), CDN (such as Cloudflare) or with an .htaccess file.

  3. Use the Content-Security-Policy-Report-Only header to monitor mixed content errors on your site.

  4. Use the upgrade-insecure-requests CSP directive to protect your visitors from insecure content.

Checking Your Resources

Double check your site for insecure "mixed content" warnings. Here is an example of mixed content

Here's a simple tool that will tell you about any insecure items on your SSL page! whynopadlock.com

Chrome Developer Tools

  1. Open Developer Tools: View > Developer > Developer Tools
  2. Go to the "Security" tab
  3. If there are any errors or warning make sure the "Console" is open by clicking the errors or warnings in the top right. This will give you detail about which resources have issues

Firefox Developer Tools

  1. Open Developer Toolbar: Tools > Web Developer > Developer Toolbar
  2. Expand the toolbar by clicking any error
  3. Choose the "Console" tab to see details of insecure content

New Terms

  • Self-Signed Certificate: a self-signed certificate is an SSL certificate that is not signed by a trusted, central authority in the SSL/TLS certificate ecosystem.
  • Nginx and Apache: two of the more popular web server/proxies that you can run a web app over.
Added Security Note

Sometimes you may still receive a warning when all resources are being loaded via https. One possible culprit is a server that supports outdated security protocols. whynopadlock.com will also give you warnings about out dated protocols.

Documentation

OpenSSL
Let’s Encrypt
Cloudflare
Self-signed certificates

Further Reading

How To Secure Nginx with Let's Encrypt on Ubuntu - Digital Ocean

How To Secure Apache with Let's Encrypt on Ubuntu - Digital Ocean

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    We've now seen how TLS works in practice, so let's see how to implement it. 0:00
    Typically, insuring your site uses HTTPS 0:06
    requires purchasing certificates for your domain thru a certificate provider. 0:10
    Such as the place where you registered or host your domain. 0:15
    Creating your own certificate is also possible using the most popular 0:19
    open-source library that implements the SSL and TLS protocols, OpenSSL. 0:24
    OpenSSL is the de facto TLS implementation and 0:30
    runs on millions of servers, personal computers, and mobile devices. 0:33
    However, when you create a certificate with OpenSSL, in 0:39
    most cases you will end up creating what is known as a self-signed certificate. 0:44
    This means that your certificate is not verified by the central authorities 0:49
    on the Internet, who work together to keep the Internet's HTTPS 0:54
    ecosystem safe and functional. 0:59
    When you do this, web browsers will see your server's self-signed certificate and 1:02
    will often show a warning that this site is not totally secure. 1:08
    You may have seen this in your own web browser, 1:12
    and it definitely can turn users away. 1:15
    Because of this most developers purchase certificates from authorities that provide 1:18
    certified and trusted certificates, that you can install on your domain. 1:23
    Thankfully, there are now more options for doing this. 1:29
    Two of the most popular choices are Let's Encrypt and 1:32
    content delivery networks, such as Cloudflare. 1:36
    Let's Encrypt was launched in 2016 and is a partnership between many 1:40
    prominent Internet companies, including Akamai and Cisco Systems. 1:45
    Let's Encrypt now offers three trusted certificates that you can install on your 1:51
    own application's services and APIs using a simple command-line interface. 1:56
    Let's Encrypt also allows you to configure the certificates to renew automatically. 2:02
    And there is virtually no limit to the number of certificates 2:08
    that you can register. 2:11
    Let's Encrypt is quickly becoming the new standard by which to protect your domains 2:12
    with TLS. 2:17
    This is what we recommend learning. 2:19
    To learn more about Let's Encrypt check out the teacher's notes for 2:21
    more resources. 2:26
    Another option is going through a content delivery network or 2:27
    CDN provider, such as Cloudflare. 2:31
    Cloudflare and other services allow you to configure your domains DNS settings. 2:34
    They will additionally encrypt all traffic between your users and your server 2:40
    with TLS, as well as all traffic between your server and Cloudflare. 2:45
    CDNs, such as Cloudflare, also offer many other perks. 2:50
    Rate limiting and firewall protections can speed up your web applications and 2:56
    protect against DDoS attacks. 3:01
    To get started with Cloudflare just go to cloudflare.com, 3:04
    where you can add TLS to an unlimited number of your own domains for free. 3:08
    If you want more advanced protections and features you can pay for upgraded plans. 3:13
    Implementing TLS is a broad topic and though we won't cover everything here, 3:19
    we encourage you to explore additional information in the teacher's notes. 3:24
    You should also check out both Let's Encrypt and Cloudflare. 3:29
    With cost and ease of use no longer an issue and 3:34
    the increase in cyber attacks, you should always secure your websites. 3:37
    If those reasons aren't incentive enough, 3:43
    remember that Google ads priority to websites using HTTPs. 3:47
    Many hosting providers offer TLS encryption as an opt-in service, so 3:52
    that can be an even easier way to get started. 3:58
    One last thing about TLS, 4:01
    you'll want to be sure that all the content of your site is encrypted. 4:03
    That includes media files, third party scripts, and all other content. 4:07
    For more information check the notes associated with this video. 4:12

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up