YES, your website needs HTTPS .
“But my website doesn’t have any forms and it doesn’t collect information from users.”
It does not matter what kind of information is being collected. HTTPS protects more than just form data! HTTPS keeps the headers, URLs, and contents of all transferred pages confidential.
“There’s nothing sensitive on my site anyway.”
Just because your website is hosted safely in your account doesn’t mean it won’t travel through boxes and cables controlled by who knows how many corporate and state owned entities. Do you really want someone injecting images, scripts, or ad content onto your page so that it looks like you put them there? Or changing the words on your pages? Or using your website to attack other sites?
HTTPS prevents all of it. It guarantees content integrity and the ability to detect tampering. If we encrypt only secret content, then we automatically paint a target on those transmissions. Keep which of your transmissions contain secrets secret by encrypting everything.
“The site is HTTP, but our forms are submitted over HTTPS.”
This is as bad as not using any HTTPS at all! All the attacker has to do is change the link or form action to a URL on his/her own server. There’s no way to detect this because it happens over the wire with plain HTTP. Encrypt the WHOLE site and redirect HTTP to HTTPS.
“I can’t afford a certificate.”
“HTTPS is difficult to set up and maintain.”
It just works if Caddy is your web server. Yes, including certificate renewals. No thought required. For everyone else, HTTPS can still be automated by using a Let’s Encrypt client of your choice.
“Attackers can still impersonate my site, even if I use HTTPS.”
As long as your private key stays private, browsers will show warnings if attackers present a mismatched or invalid TLS certificate. And if the attacker does not use HTTPS at all, browsers should mark the impostor page as insecure. To this end, HTTPS guarantees authenticity.
“It works over HTTP just fine.”
Until browsers start flagging HTTP pages as insecure. Effective July 2018, Google’s Chrome browser marks non-HTTPS sites as ‘not secure’.
“HTTPS impacts SEO.”
You’re right—HTTPS improves it! Switching site URLs improperly may impact your search rankings, but HTTPS actually improves them. Just do the switch properly according to the search engine you’re optimizing for, and everything will be fine.
— HOW TO GET ON HTTPS —
The easiest way is through Let’s Encrypt
and the Caddy web server
, which enables HTTPS for all your sites automatically.
There are plenty of other ways to get your site on HTTPS without much trouble.