HTTPS - Web Security Best Practices
HTTPS prevents attackers from reading and modifying data sent between your site and browsers. HTTPS should be considered a minimum security requirement for all websites.
HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site. Users expect a secure and private online experience when using a website. We encourage you to adopt HTTPS in order to protect your users' connection to your website, regardless of the content on the site.
All pages should use HTTPS to prevent attacks and protect the privacy of your visitors. When a browser loads a URL via HTTP, the data is sent unprotected: attackers can read and modify all data being sent without anyone knowing. Attackers can steal passwords and personal information, inject malware and ads into pages, redirect visitors to malicious sites and more. HTTPS adds encryption to the data sent between your website and browsers to stop attackers from reading or tampering with communications. How you enable HTTPS is specific to the server or hosting service you’re using. Once set up, you should make sure all
http:// page requests are redirected to
- Why HTTPS Mattersdevelopers.google.com
- Communicating the Dangers of Non-Secure HTTPblog.mozilla.org
- HTTPS as a ranking signalwebmasters.googleblog.com
- Introduction to HTTP/2developers.google.com
Avoid mixed content
- Mixed content - MDN web docsdeveloper.mozilla.org
- What Is Mixed Content? - Web Fundamentalsdevelopers.google.com
- Mixed Content - W3C Candidate Recommendationwww.w3.org
Use secure password forms
Password fields in forms should be sent securely by using POST requests via HTTPS. When a password is submitted from a form on a page to your server, several steps must be taken to send the password securely. Firstly, a page with a password field should be served via HTTPS URLs to stop attackers modifying the page to send the password to wherever they want. Secondly, the form
action attribute that says where the form submission is sent should be set to an HTTPS URL (
<form action="https://…) so an attacker cannot observe the password in transit. Lastly, the form
method attribute that sets the request method to use should be set to the POST method (
<form method="POST"…). This prevents passwords being visible in browser histories, browser address bars, server logs and in the
Referer request header that is sent when navigating to other sites.
- Sending form datadeveloper.mozilla.org
- Avoiding the Not Secure Warning in Chromedevelopers.google.com
More articles in this series
➜ This article is from our comprehensive Web Security Best Practices guide.
➜ Next article in this series: HSTS