All on https, safe and cheap

Brief introduction

Nowadays, everyone understands how simple the task is to hijack an unprotected http session.
And only the purchase price of a certificate can stop from widespread implementation, www.startssl.com solves this problem by distributing free certificates (Class 1). Verified (Class 2) cost a penny.

Redirect

When the certificate is purchased and the software is configured, it becomes obvious that the user needs to redirect from http: // myisayt.ru to https: // myysayt.ru.

Such a redirect creates a small security hole, an attack can be made before the redirect. Therefore, it is necessary to use the 'Secure' attribute, which tells the browser that cookies can only be sent via https and it is advisable to avoid redirecting links with https and using the following techniques:

The HTTP / 1.1 specification says that http-based codes 301 (“moved permanently”) and 302 (“found” / “moved temporarily”) can be cached by the browser.
')
Therefore, using Expires or Cache-Control max-age headers with longer terms will make redirects more secure. An obvious problem is the lack of respect for the specifications on the part of the developers of some browsers.

The second option is to use the Strict-Transport-Security header.
Through this title, you inform the browser that the website will only be accessible via https. http requests will be rewritten on the client side by the browser.

Strict-Transport-Security: max-age=31556926;
Tells the browser that supports the draft standard that the 1 year site is available only through https. (Firefox and Chrome already support, Opera expects its status to be transferred to agreed or established).

Do not mix content

You need to make sure that you do not download content from http sites. Often people forget that they download libraries from a CDN or do not switch Google analytics to https mode.

Additional Information

Detailed article about getting certificates for startssl habrahabr.ru/post/127643
en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
en.wikipedia.org/wiki/List_of_HTTP_status_codes
en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
An example of a large platform using startssl cartenergy.ru (create online stores)