Listen to this post: How to Use SSL and HTTPS Properly on Your Site (2026 Practical Guide)
Picture this: someone sits in a café, taps into the free Wi-Fi, and logs in to your site. They type an email address and password, maybe a card number, maybe a message they don’t want anyone else to read.
Without HTTPS, that data can be watched, changed, or redirected, often without either of you noticing. With HTTPS in place, the connection is encrypted, and the browser gets proof it’s really talking to your domain, not a lookalike.
This guide walks you through the parts that matter: choosing the right certificate, installing it cleanly, forcing HTTPS across every page, tightening security settings, and testing so you can trust what you’ve shipped.
SSL, TLS, and HTTPS explained in plain English
People still say “SSL”, but the modern protocol is TLS (Transport Layer Security). Think of SSL as the old label on the tin, TLS as what’s actually inside.
HTTPS is HTTP plus TLS. When your site uses HTTPS, the browser and your server create a secure tunnel before any real data is exchanged. That tunnel does three big jobs:
- Encrypts traffic so eavesdroppers can’t read it.
- Protects integrity so data can’t be quietly altered in transit.
- Proves identity so the browser can confirm it’s connected to the right domain.
That identity check comes from a certificate. A certificate is a small digital document issued by a Certificate Authority (CA). It usually includes:
- The domain name(s) it’s valid for
- A public key (used to set up encryption)
- The issuer (which CA signed it)
- The expiry date
- Extra details like certificate chain info and transparency data
Browsers verify the certificate, check it hasn’t expired, and check it chains back to a trusted CA. If that all looks good, you get the padlock icon. If not, visitors see warnings that feel like a slammed door.
For a broader checklist of phases and pitfalls, this SSL/TLS implementation best practices guide is a helpful reference.
What HTTPS protects, and what it does not
HTTPS is powerful, but it’s not magic.
What it protects well:
- Stops spying: People on shared networks can’t read logins, forms, or pages.
- Blocks tampering: Attackers can’t easily inject scripts or swap content mid-flight.
- Reduces phishing risk: A valid certificate shows the visitor they’re on the right domain, not just “a site with a convincing design”.
What it does not protect:
- It doesn’t remove malware from your server.
- It doesn’t fix weak passwords or stolen accounts.
- It doesn’t prove your business is honest, only that the domain is controlled by whoever got the certificate.
- It doesn’t stop scams hosted on a real, properly secured domain.
One common trap is mixed content. That’s when your page loads over HTTPS, but pulls images, scripts, fonts, or iframes over plain HTTP. The page can show a padlock, yet still have a weak link. Modern browsers may block the risky parts (like scripts) or show warnings, both of which can break pages and trust.
Which certificate type should you choose (single-domain, wildcard, multi-domain)
Most sites don’t need a complicated certificate plan. Pick based on what you actually host.
| Certificate type | Best for | Watch-outs |
|---|---|---|
| Single-domain | One site, one host (often with www as well) | Simple, least risk |
| Wildcard | Many subdomains under one domain | If the private key leaks, more is exposed |
| Multi-domain (SAN) | Several different domains in one cert | Management can get messy if domains change |
Rules of thumb:
- Single-domain fits most websites (and it’s easier to rotate keys safely).
- Wildcard only makes sense if you truly have lots of subdomains you can’t predict.
- SAN is for teams juggling multiple brands or properties.
Free vs paid: free certificates (like DV) can still provide strong encryption. In day to day browsing, users usually see the same padlock. Paid options can add support, warranty language, and sometimes smoother admin tools, but the basics of HTTPS don’t change.
Set up HTTPS the right way (certificate choice, install, and renewal)
Getting a certificate installed is half the work. Getting it installed cleanly is what makes it reliable.
Start with a few decisions:
1) Where will TLS terminate?
If you use a CDN (Cloudflare, Fastly, Akamai, etc.), TLS often terminates at the edge. If not, it terminates on your origin server. Either can be correct, but be clear which one is responsible for redirects, headers, and renewals.
2) Use modern protocol support.
In 2026, the baseline expectation is TLS 1.3, with TLS 1.2 kept only for older client compatibility. Older protocols (TLS 1.0 and 1.1) should be off.
3) Generate keys and install the full chain.
A lot of “HTTPS is broken” tickets come from missing intermediates. Your server needs the full certificate chain (leaf cert plus intermediates) so browsers can validate it quickly and consistently.
4) Plan for shorter certificate lifetimes.
Certificate validity periods have been getting shorter across the industry. Many certificates are now issued for around six months, and the direction of travel is clearly towards more frequent renewal. Treat renewal like a routine task, not a calendar reminder someone might miss.
If you want a safe starting point for server-side configuration, the Mozilla SSL Configuration Generator gives recommended settings for common web servers and load balancers.
Modern TLS settings to aim for in 2026 (protocols, keys, performance)
A good HTTPS setup should feel invisible. No warnings, no odd compatibility problems, no speed penalty.
Aim for:
- TLS 1.3 enabled (keep TLS 1.2 only if you need it).
- TLS 1.0 and 1.1 disabled. They’re weak and unnecessary for most audiences now.
- Strong keys: RSA 2048-bit minimum, or ECDSA if your platform supports it well. ECDSA keys can be smaller and fast, with strong security when configured properly.
- Forward secrecy: With modern TLS, each session uses fresh keys, which limits damage if a key is ever exposed later.
- HTTP/2 and HTTP/3: These often come “for free” once HTTPS is properly set up on a modern stack, and they can improve real page load behaviour, especially on mobile networks.
Keep the goal simple: new browsers get the best security and speed, old clients get a graceful fallback (or get blocked, if your audience doesn’t need them).
Automate renewals so your site never goes down
An expired certificate is like a shop with the shutters down and an alarm blaring. Visitors bounce, and support queues fill up fast.
Automation matters more now because lifetimes are shorter, and some programmes are moving towards a maximum around 200 days from March 2026. That’s not a “set it and forget it” world.
Common automation routes:
- ACME clients (for example Certbot) running on your server or as part of your deployment pipeline
- Hosting control panels (many can auto-issue and auto-renew)
- CDN-managed certificates, where the provider handles renewals for the edge
A simple renewal checklist:
- Set renewals to run well before expiry (weekly is common).
- Keep email alerts on, even if you trust automation.
- Run a test renewal after setup and after major server changes.
Force HTTPS everywhere (redirects, HSTS, and removing mixed content)
A working certificate doesn’t automatically mean your site is “HTTPS-only”. Many sites accidentally serve both HTTP and HTTPS, which splits signals, confuses users, and leaves cracks attackers can use.
Your goal is one clear answer: every request ends up on the HTTPS version of the correct host.
Key steps:
- Redirect HTTP to HTTPS.
- Pick one preferred host (www or non-www) and stick to it.
- Update canonical tags, sitemaps, and internal links so your site doesn’t keep “remembering” the old scheme.
- Remove mixed content so the padlock is real, not cosmetic.
For a practical overview of redirect behaviour and common traps, this URL redirects guide for 2026 is a solid companion read.
Redirect HTTP to HTTPS without breaking pages
Use 301 redirects for permanent moves. That tells browsers and search engines the HTTPS URL is the one that counts.
Best practice is to do redirects at the server or CDN level if you can. It’s faster, and it avoids weird app-level edge cases.
What must redirect:
- The homepage
- Deep links (every old URL should land on its HTTPS twin)
- www and non-www variants (choose one)
- Any legacy paths you still see in logs, emails, or old campaigns
Watch for:
- Redirect chains (HTTP to HTTPS to www to slash). Chains add delay and can create crawl waste.
- Redirect loops (A to B to A). These can lock users out completely.
- Inconsistent rules between CDN and origin, which can cause “works for me” bugs.
Turn on HSTS only when you are ready (and what “preload” means)
HSTS (HTTP Strict Transport Security) is a browser rule that says: “Always use HTTPS for this site.”
Once set, browsers stop trying HTTP first. That helps block downgrade attacks and reduces user exposure to sloppy links.
HSTS is delivered as a response header, and you’ll often see options like:
- max-age: how long browsers should remember the rule
- includeSubDomains: applies the rule to all subdomains
- preload: a request to be added to hard-coded browser lists
Be careful:
- Don’t use includeSubDomains until every subdomain is HTTPS and stays that way.
- Don’t request preload until you’re certain you won’t need to serve HTTP again. A mistake here can lock users out, and fixes can take time to propagate.
A safe approach is to start with a shorter max-age, confirm everything behaves, then increase it over time.
Test, monitor, and avoid the common HTTPS mistakes
HTTPS problems are often quiet. A certificate can be valid, yet users still hit warnings, missing assets, or odd SEO duplication. Testing is how you catch the “nearly right” setups.
Think in two loops:
- After setup or changes: test immediately.
- Ongoing: monitor before customers do.
A strong setup usually means:
- TLS 1.3 works for modern browsers
- No weak cipher suites are offered
- The certificate chain is complete
- Redirects are single-hop and consistent
- Mixed content is gone
- Security headers match your intent (HSTS where appropriate)
For deep testing guidance and what “good” looks like, the SSL Labs deployment best practices page is a useful benchmark.
Quick tests to run after setup (and after every change)
Run an external scan and check the browser too.
What to do:
- Use an SSL scanner (SSL Labs is a common choice) and aim for an A-range grade.
- Use a header checker (many teams use securityheaders.com) to confirm HSTS and related headers are present when intended.
- Open DevTools in your browser and look for mixed content warnings and blocked resources.
What to look for:
- TLS 1.3 enabled, TLS 1.2 only as needed
- No weak ciphers
- Correct certificate chain (no missing intermediates)
- OCSP stapling if your server stack supports it, it can speed up certificate status checks
- HSTS status and max-age match your plan
- Consider a CAA DNS record to restrict which CAs can issue for your domain
Mistakes that quietly damage security or SEO
These problems don’t always show up as a big red browser warning, but they still hurt.
Common ones:
- Expired certificates (still the fastest way to lose trust)
- Missing intermediate certificates, causing “works in one browser, fails in another”
- Leaving HTTP accessible without a clean 301 to HTTPS
- Mixed content from old themes, plugins, ad tags, or analytics snippets
- Redirect loops and chains that slow crawlers and frustrate users
- The wrong canonical URL (canonical pointing to HTTP, or to the non-preferred host)
- Forgetting to update sitemaps and robots.txt references to HTTPS
- Serving slightly different content on HTTP vs HTTPS, which can create duplication and indexing confusion
Pick one preferred version (HTTPS plus your chosen host), then make every signal point there.
Conclusion
That café visitor shouldn’t have to think about security. Your job is to make the secure path the only path.
Keep it simple: choose the right certificate type, run modern TLS (TLS 1.3 where possible), automate renewal, and force HTTP to HTTPS with clean 301 redirects. Add HSTS when you’re confident every corner of your domain is stable over HTTPS, then keep testing after every change.
Action list for today: check your certificate expiry date, confirm redirects are single-hop, scan for mixed content, and run an external TLS test. Small checks now prevent loud failures later, and they keep HTTPS working the way users expect.
