When to use https


I’m working on an e-commerce site and we’ve just purchased a secure certificate to transmit a shopping cart to the payment gateway without fear of tampering.

Question is, should the whole site be built on https:// or should only the form which posts to the payment gateway be secure?

If anyone can explain, I’d be most grateful, thanks.

You should use it whenever data that needs to be kept secure is being transmisted to and from the server. This includes peronal information, payment information, and login information.

That makes sense, but how come companies don’t use https throughout their entire sites, rather than having to code absolute URLs whenever they need to access SSL pages?

Thanks Stymiee

https makes the server work a little harder so sites try to use it only where appropriate.

As far as I know, search engines do not index https pages, so best stick to using SSL on the checkout stages only

Very good point.

Although incorrect, Google does index https pages as a shop I’ve done has around 200 product pages indexed and they are all on the SSL.

Perhaps google does, but this is from Yahoo’s help pages


There are several ways to prevent our crawler from indexing your site or portions of your site:

  • create a “robots.txt” file on your web site to prevent our crawler from indexing your site
  • add a “noindex” meta tag to your documents
  • remove the original document from your web site
  • host the document on a secure section of your web site (HTTPS or login)

typically you just make the checkout process be behind the SSL

i think not to use it in any because https is encrypted then the file will be bigger than the usual size.

So are you saying https is useless, mavahntooth?

I hope not because that is not very smart.

If you are collecting or sending sensitive data to/from your website you need to use SSL. Period. Not using it is unsafe and a great way to scare off your customers.

im sory… i mean don’t use it in all pages because the file will become bigger because it will be encrypted in server side. so all the information that you send is not the normal way you type it in. IMO this will be multiplied in random chars to protect your information.
this also helps your website to provide a good market…they will see that their info is safe. :loveblush:

I’d also suggest you use it any time data is collected, and boast that it’s secure to your surfers. They’ll respect your site more.

you are definitely right! :lol:

I’d recommend just redirecting everything from HTTP to HTTPS, right from the first page

I think if you read the posts above you can see why that isn’t a good idea.

The main reason that I don’t recommend putting your entire site under https is because you may run in to incompatibility with third-party scripts used in your HTML.

For example, many traffic tracking scripts that are available (such as Google Analytics) require adding a JavaScript tag to the HTML code of your pages. The JavaScript they supply calls to a hard-coded “http” address. When the script that refers to a http address is run from a https page, the web browser will display a security warning to the affect of “this page includes both secure and insecure items.” When that happens, the “little lock” icon signifying that the page is secure does not get displayed, and the site visitors (and sometimes the site administrator) freak out, wondering why their secure pages aren’t actually secure.

That brings up another suggestion: leave the third-party scripts and traffic trackers off the secure checkout pages on your site if possible. You never know when the third-party provider is going to make a change on their end that causes a security warning on your site.

You can pull Google Analytics off of an HTTPS connection. It wouldn’t really be much good to eCommerce if you could not analyze your checkout process.

To actually add to the thread, another time you need an HTTPS connection is when you redirect from a page that is HTTPS to a page that is normally HTTP. In some (or most) browsers doing an HTTPS to HTTP redirection will throw a security warning, for good reason.

And another time, similar, would be a typically non-secure form that shows up on a secure page, if you POST to the non-secure URL, some browsers will warn about Posting secure data to an insecure URL. A typical example of this would be a site quick search that appears on every page; well if it also appears on secure pages, then to avoid browser warnings you should POST that to a secure URL, even though the search form isn’t going to contain any sensitive data.