How to correctly run your website via HTTPS

Search engines are now penalising websites that do not have a secure badge in place. Having a secure certificate in place is now a must if you would like to be listed in search results.

Step 1

They are available to purchase from most hosting providers but there is now even a free service from Let's Encrypt that is backed up by some impressive organisations, such as Mozilla, Chrome, GitHub, and even Umbraco. You can find out more about Let's Encrypt on their website: https://letsencrypt.org/.

Step 2

Once you have added your certificate to your website you will need to ensure that all traffic redirects from HTTP to HTTPS. To accomplish this, you will need to add a rewrite rule to your live environment's web.config file. The location of the file will be in the <system.webServer><rewrite><rules> section.

Now you should add the following rule:

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
    <add input="{REQUEST_URI}" negate="true" pattern="^/\.well-known/acme-challenge" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

Step 3

If your secure certificate has been assigned an IP address which can be directly used to access your website, you will also need to add the unique IP address assigned to your secure certificate to your conditions group.

<add input="{HTTP_HOST}" pattern="YOUR IP ADDRESS" />

Your website will now be served via https://mywebsite.com instead of http://mywebsite.com.