HTTPS Everywhere is a best practice security measure for websites that ensures the entire user experience is safe from online threats. The term simply refers to using HTTPS—the secure web protocol enabled by SSL/TLS—across your entire website instead of selectively.
HTTPS provides authentication of the website’s identity, connection, and data integrity, and encrypts all information shared between the website and a user (including any cookies exchanged), protecting the data from unauthorized viewing, tampering, or mis-use. Maintaining a secure connection across an entire browsing session is vital to ensuring users are safe from advanced spoofing, injection, and man-in-the-middle attacks.
It’s no longer acceptable to secure only part of your users’ connections. When you intermittently use HTTPS on your website, only some pages are protected by the encryption and authentication of SSL, and others are therefore vulnerable to data theft, content injection/modification, and the privacy-invasion of internet surveillance.
Intermittent deployment of SSL not only fails to meet user’s security expectations and rights, but also fails to meet the expectations of browsers and OS platforms. As part of a multi-year effort to encourage the adoption of HTTPS, major browser vendors, including Google, Mozilla, and Apple, have slowly been tweaking the user interface of their browsers to negatively reinforce HTTP and positively reinforce secure HTTPS.
Trust is the foundation of the internet economy. To earn that trust, you need end-to-end security to help protect every webpage your users visit—not just the log-in pages and shopping carts. New changes in internet standards and web browsers are also giving websites that use HTTPS a leg up, and are actively punishing unsecure sites that remain on HTTP.
For example, Google has given a search results ranking boost to pages served over HTTPS since 2014. They also display a “Secure” label in the address bar for HTTPS pages. And in July 2018, Google Chrome will start displaying a “Not Secure” warning for every page served over HTTP. Chrome was the first major browser to warn users on all HTTP pages, and other browsers will follow as the internet moves to a "secure by default" standard.
Additionally, many new web technologies and browser features require HTTPS. This includes HTTP/2, a foundational improvement to the web communication protocol that can greatly improve website performance, as well as browser features including geolocation, notifications, Service Workers, Google’s AMP mobile standard, new compression methods, and more. Simply put, without HTTPS, your website will be effectively trapped in the past.
1. Make sure any third-party services you rely on, such as advertising or analytics services running on your site, are available over HTTPS to avoid "mixed content" issues.
2. Purchase additional SSL certificates if different parts of your website run on different servers or domains.
3. Redirect all your web pages to their new HTTPS counterparts and update your Google Webmaster tools. When you switch to HTTPS Everywhere, ther are SEO implications. Google and other search engines view this as a website move, similar to moving to a new domain name.