TL;DR
HTTPS encrypts traffic between users and your server, preventing eavesdropping and tampering. Modern platforms handle certificates automatically (Let's Encrypt). Your job: ensure HTTP redirects to HTTPS, fix mixed content, and add HSTS. These prompts help you get it right.
HTTPS Configuration Audit
Audit my HTTPS configuration for issues.
Check for:
- Valid SSL certificate (not expired, correct domain)
- HTTP to HTTPS redirect in place
- No mixed content (HTTP resources on HTTPS pages)
- HSTS header configured
- Secure cookies have Secure flag
- API endpoints use HTTPS
- WebSocket uses WSS (not WS)
Common issues to find:
- Hardcoded http:// URLs in code
- Images or scripts loaded over HTTP
- API_URL using HTTP
- Missing redirect from www to non-www (or vice versa)
- Cookies without Secure flag
Search codebase for:
- http:// (should be https:// or protocol-relative)
- Hardcoded localhost URLs in production code
- Environment variables that might have HTTP URLs ::
HTTP to HTTPS Redirect
Set up HTTP to HTTPS redirect for my application.
For Express:
app.use((req, res, next) => {
if (req.header('x-forwarded-proto') !== 'https' && process.env.NODE_ENV === 'production') {
res.redirect(301, https://${req.header('host')}${req.url});
} else {
next();
}
});
For Nginx: server { listen 80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; }
For Next.js on Vercel: // Handled automatically by Vercel
For .htaccess (Apache): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} L,R=301
Important: Use 301 (permanent) redirect for SEO benefits. Test: curl -I http://yoursite.com should show 301 to https://
HSTS locks you into HTTPS: Once you set HSTS, browsers will refuse HTTP connections for the max-age duration. Only enable after confirming HTTPS works perfectly. Start with a short max-age (3600) before going to 31536000.
Fix Mixed Content
Find and fix mixed content issues in my application.
Mixed content = HTTP resources loaded on HTTPS pages. Browsers block these or show warnings.
Find issues:
- Check browser console for "Mixed Content" warnings
- Search code for http:// URLs
- Check external resources (images, scripts, fonts)
Fix approaches:
// Use protocol-relative URLs (auto-match current protocol)
// <script src="//cdn.example.com/script.js">
// Better: Always use HTTPS
// <script src="https://cdn.example.com/script.js">
// Best: Use relative paths when possible
// <script src="/scripts/app.js">
// For dynamic URLs in JavaScript const apiUrl = new URL('/api', window.location.origin);
// For environment variables API_URL=https://api.example.com // Not http://
Common sources:
- Third-party widgets/embeds
- User-submitted content with http:// URLs
- Legacy image URLs in database
- Hardcoded URLs in CSS (background images) ::
Enable HSTS
Configure HSTS (HTTP Strict Transport Security) for my site.
HSTS tells browsers: "Always use HTTPS for this site."
Recommended header: Strict-Transport-Security: max-age=31536000; includeSubDomains
Options:
- max-age: Seconds to remember HTTPS-only (31536000 = 1 year)
- includeSubDomains: Apply to all subdomains
- preload: Opt into browser preload list (permanent!)
Implementation order:
- Start with short max-age: max-age=3600 (1 hour)
- Test everything works over HTTPS
- Increase: max-age=86400 (1 day)
- Test again
- Go to full year: max-age=31536000
For Express (with Helmet): app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));
For Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Warning: HSTS preload is permanent. Only add when 100% committed to HTTPS.
Pro tip: Test your SSL configuration at ssllabs.com/ssltest. It checks certificate validity, protocol support, cipher strength, and gives you a letter grade with specific recommendations.
Do I need to buy an SSL certificate?
No. Let's Encrypt provides free certificates, and most hosting platforms (Vercel, Netlify, Cloudflare) include automatic HTTPS. Paid certificates are only needed for specific compliance requirements or extended validation.
My certificate is expiring. What do I do?
If using Let's Encrypt with auto-renewal (certbot), it should renew automatically. Check your cron jobs. Most hosting platforms handle this automatically. If manual, run your renewal command and reload the web server.
Check Your HTTPS Setup
Scan your site for HTTPS configuration issues and mixed content.
Start Free Scan