: HTTPS for entire site I'm working on a fairly standard web site with public content plus personal/customized content for registered users. I know I need to use HTTPS when users are logging

@Radia820

last but not least, several employers do not like their emplyees browse on "encrypted" https sites. This is the case of defence / security companies and organisations, so if you have "https only" website, you may loose some of these visitors / customers, because their network will simply not let them browse your site.

Vote Up Vote Down

@Megan663

Another problem is that everything you serve from any page then really needs to go via SSL, including third-party resources. We've found this is a real problem with something like YouTube, for example. Since Google doesn't make YouTube videos available via SSL, it means that any YouTube video you do want to embed in a page on your site will cause the "this page contains secure and non-secure content" warning. Whilst this is subtle in most browsers, it's a huge dialog in IE and can cause some users to abandon your site pretty quickly, clutching their data to their chest in fear.

Vote Up Vote Down

@RJPawlick198

If you are planning to run full SSL, make sure that any hosted third party services you're using (ad server, analytics, sharing tools, etc) have SSL versions available, or you'll get mixed content warnings on some browsers.

Vote Up Vote Down

@Carla537

You should also think about growth. Once you have more then a single webserver, you will have to decide: Do you want to provide HTTPS on each individual server, and if so, will you be using the same certificate or a cert per server as is often recommended. I have seen more common setups where there are fewer HTTPS servers as they are generally only used for processing of sensitive details and more HTTP servers since those tend to receive the bulk of the traffic. HTTPS adds a little more complexity to each of your setups. Just something to keep in mind.

Vote Up Vote Down

@Welton855

As I see it, the only reason to not use HTTPS on your entire site are that it will slow your server some and visitors have a slightly slower browsing experience. That being said, there are benefits. Specifically:


You will never have to worry about putting data you want to keep secure on any page of your site. You can't forget.
Users will notice your site is encrypted entirely and may feel more secure in giving you their information.
Users know that your website belongs to your company and hasn't been taken over.


Beyond making it easier for your developers to not worry about showing secure data on an unencrypted page, there is really no technical reason to use HTTPS on every page. By the same reasoning, there is very little reason not to.

Vote Up Vote Down

@Goswami781

Yes, there's a reason you shouldn't use it for the whole site. Some browsers (depending on brand and version) will not cache content from HTTPS requests to disk, which can seriously slow the browsing experience for users, as static assets will be loaded with every page request (style-sheets, javascript, header images etc). For example, Mozilla states that:


"Disk caching saves copies of the
downloaded files on the hard drive so
they doesn't need to be downloaded to
be redisplayed. These pages can be
viewed by anyone with permission to
the cache folder. Pages transmitted
with SSL encryption often contain
sensitive information and caching of
these pages to disk may present a
privacy risk. This preference controls
whether to cache to disk pages that
were transmitted with SSL encryption."


How individual browsers cache HTTPS is somewhat disputed but there still remains a good chance that many users will have disk caching disabled for HTTPS requests.

Secondly, HTTPS requires a "handshake" for every request and this comes with some overhead, which will effect performance and make requests larger (typically only by a few KB - but it's for every request and this adds up). HTTP KeepAlive can limit this, but it's still an overhead that you don't need for non-secure content.

Vote Up Vote Down