8 things to check before enabling HTTPS

Last updated on Thursday, April 20, 2017

Before you add a custom certificate on your website and make the switch to https there are a few things you need to check to ensure all the features on your website will continue to work as expected once the switch is made. Here are a few things to action before making the switch.

Warning: SSL certificates for custom domains are only supported for domains hosted using the Business Catalyst DNS system. If you are using an external DNS domain you will first need to switch to the internal DNS system.

1. All the assets you use have to be delivered securely

This means that all the js, css and other assets you link in your templates, pages or layouts need to be delivered via https.

Testing this is pretty simple. Just browse your website using the default secure domain to browse your site and look out for "mixed content" warnings. Do note that depending on the browser you are using this warning might be different but the tell-tell sign is the red padlock next to the URL:

If you run across this error on one of your pages you need to look in the template's HTML code and make sure there are no assets still using the HTTP protocol.

2. All the links within the site should remain relative or point to https

Although this might seem confusing at first, it makes sense. A relative link looks like <a href="/index.html">Home</a>- this indicates the page (index.html) but lets the browser use the same protocol (https) and site host name (yoursecuredomain.com). Using relative links ensures your website visitor remains on the secure version of the site.

Absolute links on the other side look like this - <a href="http://perfume10.businesscatalyst.com/index.html">Home</a>. In this particular example if the site visitor clicks on the "Home" link he will leave the secure realm of the https protocol and change the hostname from yoursecuredomain.com to businesscatalyst.com. The proper way of using absolute links in your website would be <a href="https://yoursecuredomain.com/index.html">Home</a>

Now that we've got that out of the way a good practice (for SEO as well) would be to stay consistent and either use relative links or absolute links that specify the protocol and hostname (https://yoursecuredomain.com).

External assets (usually scripts or css files) linked like:

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
need to have their path updated:
<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>

the double slash basically means "use whatever protocol the rest of the page is using"

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>


3. What about SEO?

After switching to HTTPS, SEO-wise, it will be like changing your website's domain altogether. It will take some time for the crawlers to re-index your website and a certain drop in rankings will most likely be seen.

Maintaining your link integrity - only use relative links and making sure that no links point to the non-secure, http version of the site will help with the SEO score.

4. sitemap.xml

After enabling SSL on your domain the system will need to regenerate your sitemap.xml. Do note this might take up to 24 hours to complete.

5. Webmaster tools, analytics, domain verification

As you might have guessed, enabling HTTPS will also require re-registering your website in Google's webmaster tools, updating your Analytics tracking code (as this is basically a new website) and re-verify your domain ownership.

6. AJAX requests

If you are using AJAX calls on your website you should make sure those calls are working on the HTTPS-enabled domain. You can use the default secure domain https://yourwebsite.worldsecuresystems.com to test them out.

7. iFrames

Another thing you need to check is iframes. On Business Catalyst iframes need to be on the same domain to communicate via javascript. This means you will need to update the URLs of the iframes to match the new secure URL of your website.

There is a way of enabling iframe on different domains to communicate without running into the CORS issue, have a look at this article for more details on the postmessage technique - https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

8. HTTPS on older browsers

You need to keep in mind that older browsers do not use the latest security standards required by the SSL-enabled communications. Here is a list of browsers that are unsupported:

  • Google Chrome 6 or older
  • Internet Explorer 7 or older, as well as all Internet Explorer running on Windows XP
  • Firefox 2 or older
  • Safari 2.1 or older

As far as mobile browsers are concerned here is the list of unsupported browsers:

  • Safari on iOS 4.0 or older
  • Android browsers running on version 3 or older
  • Windows Phone brosers running on version 7 or older