HTTPS prevents attackers from reading and modifying data sent between your site and browsers. HTTPS should be considered a minimum security requirement for all websites.

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site. Users expect a secure and private online experience when using a website. We encourage you to adopt HTTPS in order to protect your users' connection to your website, regardless of the content on the site.

Google, “Why HTTPS Matters”

Use HTTPS

All pages should use HTTPS to prevent attacks and protect the privacy of your visitors. When a browser loads a URL via HTTP, the data is sent unprotected: attackers can read and modify all data being sent without anyone knowing. Attackers can steal passwords and personal information, inject malware and ads into pages, redirect visitors to malicious sites and more. HTTPS adds encryption to the data sent between your website and browsers to stop attackers from reading or tampering with communications. How you enable HTTPS is specific to the server or hosting service you’re using. Once set up, you should make sure all http:// page requests are redirected to https:// URLs.

Learn more

  1. Why HTTPS Matters
    developers.google.com
  2. Communicating the Dangers of Non-Secure HTTP
    blog.mozilla.org
  3. HTTPS as a ranking signal
    webmasters.googleblog.com
  4. Introduction to HTTP/2
    developers.google.com
  5. HTTPS
    en.wikipedia.org

Avoid mixed content

HTTPS pages should not include HTTP resources to prevent “mixed content” browser security warnings. Page resources such as JavaScript, images, CSS and iframes that aren’t secured with HTTPS can be tampered with which can allow attackers to compromise otherwise secure HTTPS pages. For example, if attackers could modify a JavaScript file as it is being sent to a browser, they could inject code to steal passwords or redirect users to a malicious site. To prevent this, browsers block HTTP resources from loading on HTTPS pages and will show visitors what are called “mixed content” security warnings. To avoid these problems, make sure all page resources are included using https:// URLs.

Learn more

  1. Mixed content - MDN web docs
    developer.mozilla.org
  2. What Is Mixed Content? - Web Fundamentals
    developers.google.com
  3. Mixed Content - W3C Candidate Recommendation
    www.w3.org

Use secure password forms

Password fields in forms should be sent securely by using POST requests via HTTPS. When a password is submitted from a form on a page to your server, several steps must be taken to send the password securely. Firstly, a page with a password field should be served via HTTPS URLs to stop attackers modifying the page to send the password to wherever they want. Secondly, the form action attribute that says where the form submission is sent should be set to an HTTPS URL (<form action="https://…) so an attacker cannot observe the password in transit. Lastly, the form method attribute that sets the request method to use should be set to the POST method (<form method="POST"…). This prevents passwords being visible in browser histories, browser address bars, server logs and in the Referer request header that is sent when navigating to other sites.

Learn more

  1. Sending form data
    developer.mozilla.org
  2. Avoiding the Not Secure Warning in Chrome
    developers.google.com

More articles in this series

➜  This article is from our comprehensive Web Security Best Practices guide.

➜  Next article in this series: HSTS