How to Protect Your Site Using SSL and HTTPS

  • What is Secure Sockets Layer (SSL)?

    SSL is a protocol that encrypts the data being passed back and forth between a web browser and a website’s server.

    Think of it this way: you are passing a note to someone across the room. Normally, anyone who’s helping to pass it along can simply open the note and read it. With SSL, you put the note in a locked box, and your target has the key. Now no one can read your note unless they have the key.

    In this analogy, your note is the packets of data being carried by the HTTP protocol, the lockbox is the SSL encryption, and the key is called an SSL certificate. Enabling this SSL system on your site will provide your users with a more secure browsing environment.

    Sounds great! How do I do it?

    Usually, data packets are sent via the HTTP protocol. When you add the security of SSL encryption, you will use the secured version: HTTPS. Here’s what you’ll need to do:

    • Apply for and purchase an SSL certificate from a Certificate Authority
    • Receive and install your certificate
    • Verify that your site is accessible via SSL by navigating using https://
    • Automatically redirect all HTTP requests to HTTPS

    Obtaining an SSL certificate

    The SSL certificate is given to you by a Certificate Authority. You can search online for a list of Certificate Authorities, or your hosting provider might offer an easy way to purchase an SSL.

    When you request an SSL certificate, you will need to provide some information to allow the CA to identify you. This information is stored in a Certificate Signing Request (CSR). After requesting and receiving your certificate, you will then install it on your server.

    The process of obtaining an SSL certificate looks something like this:

    • Set up your server and update your WHOIS record
    • Generate a CSR on your server (check your server documentation for instructions)
    • Submit the application, including the CSR, to the Certificate Authority
    • Wait while your information is validated
    • Receive and install your certificate
      • For Apache servers, your SSL provider should have instructions on how to install the certificate. You’ll most likely be using cPanel, so check with your CA for cPanel or Apache instructions.

    Make sure it works!

    Manually navigate to your site using https:// to make sure your certificate is properly configured. If you try this and run into any issues, please contact your hosting provider (not SocialEngine).

    Redirecting your site from HTTP to HTTPS

    Now that you have your SSL certificate installed, you need to change the .htaccess file for your SocialEngine installation on your server so that all HTTP requests will be redirected to HTTPS. Here’s how:

    1. Locate the .htaccess file at the path of your SocialEngine install. You will see the SocialEngine folders such as “application,” “externals,” “installation,” etc.
    2. Find the line of code that says

      RewriteEngine On
    3. Immediately after that line, insert the following code:

      RewriteCond %{HTTPS} !=on
      RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    Adding the “www” subdomain to your site URL:

    If you would like to add a www subdomain to your site, you can once again edit the .htaccess file at the path of your SocialEngine install on your server:

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^ [NC]
    RewriteRule ^(.*)$$1 [L,R=301]​


    Additional Reading

    If you’d like to know more about SSL and the setup process, check out this site: