![](\"/images/logo.png\"/){kind=logo}
;\n\n","\nUse relative intrasite URLs.\n","![](\"//img.example.com/logo.png\"/){kind=logo}
;\n\n","\nOr, use protocol-relative intrasite URLs.\n",";\n\nCheck out this other cool site.
\n","\nUse HTTPS URLs for links to other sites where possible.\n","Update your links with a script, not by hand, to avoid making mistakes. If your\nsite's content is in a database, test your script on a development copy of the\ndatabase. If your site's content consists of only simple files, test your script\non a development copy of the files. Push the changes to production only after\nthe changes pass QA, as normal. You can use Bram van Damme's script\nor something similar to detect mixed content in your site.","When linking to other sites (as opposed to including resources from them),\ndon't change the protocol. You don't have control over how those sites operate.","To make migration smoother for large sites, we recommend protocol-relative URLs.\nIf you aren't sure whether you can fully deploy HTTPS yet, forcing your site to\nuse HTTPS for all subresources can backfire. There is likely to be a period of\ntime in which HTTPS is new and weird for you, and the HTTP site must still work\nas well as ever. Over time, you'll complete the migration and lock in HTTPS\n(see the next two sections).","If your site depends on scripts, images, or other resources served from a third\nparty, such as a CDN or jquery.com, you have two options:","Use protocol-relative URLs for these resources. If the third party doesn't\nserve HTTPS, ask them to. Most already do, including jquery.com.","Serve the resources from a server that you control, which offers both HTTP\nand HTTPS. This is often a good idea anyway, because then you have better\ncontrol over your site's appearance, performance, and security, and don't have\nto trust a third party to keep your site secure.","Caution:"," You'll also need to change intrasite URLs in your stylesheets,\nJavaScript, redirect rules, ",""," tags, and CSP declarations, not just in\nyour HTML pages.","Redirect HTTP to HTTPS","To tell search engines to use HTTPS to access your site, put a\n","canonical link"," at the\nhead of each page using ",""," tags.","Turn on Strict Transport Security and secure cookies","At this point, you're ready to \"lock in\" the use of HTTPS:","Use HTTP Strict Transport Security (HSTS) to avoid the cost of the 301\nredirect.","Always set the Secure flag on cookies.","First, use ","Strict Transport Security","\nto tell clients they should always connect to your server using HTTPS, even\nwhen following an ","http://"," reference. This defeats attacks like\n","SSL Stripping",",\nand avoids the round-trip cost of the ","301 redirect"," that we enabled in\n","Note: Clients that have listed your site as a known HSTS Host are likely to\nhard-fail if your site ever\nhas an error in its TLS configuration, (such as an expired certificate). HSTS is\nexplicitly designed this way to ensure that network attackers can't trick\nclients into accessing the site without HTTPS. Don't enable HSTS until you're\ncertain your site operation is robust enough to avoid ever deploying HTTPS with\ncertificate validation errors.","To turn on HSTS, set the ","Strict-Transport-Security"," header. ","OWASP's HSTS page\nhas links to instructions","\nfor various kinds of server software.","Most web servers offer a similar ability to add custom headers.","max-age"," is measured in seconds. You can start with low values and\ngradually increase the "," as you become more comfortable operating an\nHTTPS-only site.","It's also important to make sure clients never send cookies (such as for\nauthentication or site preferences) over HTTP. For example, if a user's\nauthentication cookie were to be exposed in plain text, your security guarantee\nfor their entire session is destroyed, even if you've done everything else\nright!","To avoid this, change your web app to always set the Secure flag on cookies it\nsets. This OWASP page explains how to set the Secure flag\nin several app frameworks. Every appl framework has a way to set the flag.","Most web servers offer a simple redirect feature. Use ","301 (Moved Permanently)","\nto indicate to search engines and browsers that the HTTPS version is canonical,\nand redirect your users to the HTTPS version of your site from HTTP.","Search ranking","Google uses HTTPS as a positive search quality\nindicator.\nGoogle also publishes a guide to how to transferring, moving, or migrating your\nsite while maintaining\nits search rank. Bing also publishes guidelines for\nwebmasters.","Performance","When the content and application layers are well-tuned (refer to\nSteve Souders' books for advice), the remaining TLS\nperformance concerns are generally small relative to the overall cost of the\napplication. You can also reduce and amortize those costs. For advice on TLS\noptimization, see High Performance Browser Networking by\nIlya Grigorik, as well as Ivan Ristic's\nOpenSSL Cookbook and\nBulletproof SSL And TLS.","In some cases, TLS can improve performance, mostly as a result of making\nHTTP/2 possible. For more information, refer to Chris Palmer's' talk on HTTPS and HTTP/2 performance at\nChrome Dev Summit 2014.","Referer headers","When users follow links from your HTTPS site to other HTTP sites, user agents\ndon't send the Referer header. If this is a problem, there are several ways to\nsolve it:","The other sites should migrate to HTTPS. If referee sites complete the\n"," section of\nthis guide, you can change links in your site to theirs from "," to\n","https://"," or use protocol-relative links.","To work around a variety of problems with Referer headers, use the new\nReferrer Policy standard.","Caution: According to the HTTP RFC,\nclients MUST NOT include a Referer header field in a (non-secure) HTTP\nrequest if the referring page is transferred using a secure protocol.","Ad revenue","Site operators that monetize their site by showing ads want to make sure\nmigrating to HTTPS doesn't reduce ad impressions. However, because of mixed\ncontent security concerns, an HTTP ","