Tidbits on software development, technology, and other geeky stuff

Easy HTTPS with Cloudflare

HTTPS everywhere! This is the trend of late, and for good reason. Phishing, connection snooping, man-in-the-middle attacks and hacking in general is pervasive today and security on the web is more important than ever.

I think Google played a bit part in this push, starting with their 2014 HTTP as a ranking signal post where they announced they would start taking SSL into account in their search rankings. Although it’s weighted only a small amount, in that post they left open the possibility for a heavier weighting in the future. Then, they put some money behind this call to action by helping to fund Let’s Encrypt, a non-profit certificate authority giving away free SSL certificates. Finally, in 2016 their Moving towards a more secure web post really struck some fear in site owners everywhere with the announcement they they will eventually start showing regular HTTP connections like this:

Chrome Not Secure Warning

That is a pretty strong imperative to get HTTPS on your site, ASAP. Regardless of how you feel about the need for HTTPS on your simple blog site, the fact that Chrome users (FireFox, Edge and others will surely follow suit) will see this warning on your site is downright jolting.

The good news is, it’s easier and cheaper (free!) than ever to get HTTPS setup on your site. To get my blog running on HTTPS, I decided to use Cloudflare which makes it trival. Let’s walk through the setup.

Initial Setup

Cloudflare Add Site

Cloudflare DNS Records

Cloudflare Free Plan

Cloudflare SSL Setting

HTTPS Rewrites

Even if you serve your site over HTTPS, if you have resources or links pointing to non-secure HTTP URLs, browsers will display a mixed-content security warning which you want to avoid. Ideally, you can update these references in your site itself (and do so going forward) but there is a setting in Cloudflare called “Automatic HTTPS Rewrites” we will use that is a nice stop-gap solution for existing references or ones you missed.

Cloudflare Automatic HTTPS Rewrites

Forcing HTTPS

Finally, we’ll create a Page Rule to force HTTPS on the site. This means thet anyone accessing the http:// scheme for your site will be redirected to the https:// scheme.

Cloudflare Force HTTPS


Now, all you need to do is wait for the nameserver changes to propagate which can take up to 24 hours. Once this process is complete, your site is setup with HTTPS.

That was easy.

Discuss on Twitter