Enabling HTTPS on your website via Cloudflare
More and more websites are installing an SSL certificate and converting to HTTPS (secure http). Traditionally e-commerce websites enforce HTTPS on their logged in and checkout pages, however there is a movement supported by big firms like Google, Microsoft, Mozilla to encourage webmasters to convert their websites to HTTPS only. With this in mind, Spiral Hosting are making it easier than ever to secure your website with HTTPS. We have introduced a new AutoSSL feature on all our shared hosting, enterprise hosting and reseller hosting plans. The AutoSSL feature is enabled by default so our hosting clients can enforce HTTPS on their websites.
In addition to following the guide "Enabling HTTPS on your website using .htaccess" or the specific guide for WordPress websites: "Enabling HTTPS on your WordPress website" you will also need to take some additional steps if your website uses Cloudflare.
If you do not yet use Cloudflare but you are considering it, here's a quick summary of what Cloudflare offers:
So, how to enable HTTPS on your Cloudflare website...
Step 1 - Login to your Cloudflare dashboard at https://dash.cloudflare.com/
If you initially setup Cloudflare via your cPanel control panel, you may not realise you have a login for Cloudflare. If so, click on "Forgot your password?" and request a password reset from Cloudflare.
For the purpose of this knowledgebase article you must login to the Cloudflare dashboard because the cPanel interface does not allow you to manage some of the more advanced features, specifically the 'Crypto' settings.
Step 2 - For each of the domain names on your Cloudflare account, navigate to the Crypto page and repeat steps 3-6.
Step 3 - Set SSL to Full
The "SSL" setting will have four options - Off, Flexible, Full and Full (strict).
If you have purchased a branded SSL certificate for your website, select "Full (strict)", otherwise select "Full" from the dropdown menu. If you are not sure, select "Full".
Step 4 - Scroll down to "Always use HTTPS" option and ensure it's enabled.
Step 5 - Scroll down to "Minimum TLS Version" option and set it to TLS 1.2
TLS 1.2 is the minimum security encryption from 30th June 2018, TLS 1.0 is considered insecure and should not be supported.
Step 6 - Consider enabling "Automatic HTTPS Rewrites"
This setting is really nifty! If you have converted your website to HTTPS but there could still be some HTTP elements (images, stylesheets, and other content), your website could benefit from having this option enabled. This setting should automatically replace any references to http:// in your website with code with the correct https:// (secure https), saving you a lot of time and money. At the time of writing, we're not aware of any negative impact of having this option enabled, but we do advise you to test your website afterwards. The scanner at www.whynopadlock.com is a great tool to check your website for any insecure content.