HTTP, HTTPS, and Google Chrome warnings
Posted on September 08, 2017
By Jason Roelofs
Google has begun sending emails to website administrators explaining an upcoming change to the Google Chrome browser. Chrome will start showing a “NOT SECURE” message on any web page hosted under HTTP that includes form elements like text fields. The browser currently shows this message for pages that have login forms or credit card information, but that logic is soon being expanded to encompass any web page that allows users to enter in and submit information of any sort (e.g. a Contact Us form or commenting on a blog post).
The email from Google looks like this:
It is true that HTTP sites are not secure. When submitting information to a page hosted under HTTP, it is possible for a malicious actor to see what was submitted. When a site is hosted under HTTPS, this kind of attack is far more difficult to perform. Further more, Google and other search engines have started taking into account HTTPS hosting when determining site rankings, preferring sites that are secure over those that may not be.
Now, Harmony does not itself support HTTPS hosting of customer sites for various reasons, but that doesn’t mean HTTPS is not available. There are services available that will sit in front of your Harmony site and provide HTTPS for you. We recommended the service CloudFlare, setting it up is easy and free. It should be noted that setting up a CloudFlare account requires changing your domain’s nameservers to CloudFlare, which may not work for some people.
For those who want to set up a CloudFlare account, after you sign up you’ll see a page similar to this one:
Follow the 4 step setup process as instructed by CloudFlare. Once you’ve completed all four steps and switched your domain’s nameservers your site will start using HTTPS in about 24 hours.
For those sites where CloudFlare will not work and you would like to get your site under HTTPS, please contact us at firstname.lastname@example.org. While it is true that this version of Harmony does not have built-in HTTPS support, we’ve been working on a version that does!