Friday, October 24, 2014

Moving to HTTPS-only

On November 22nd, all websites hosted under the domain will begin using HTTPS instead of plain HTTP. We will redirect all requests to the corresponding HTTPS site.

Virtually-hosted websites will continue to use plain HTTP, so won't be affected. There also shouldn't be any impact on sites which consist of static content.

We recommend to change all of your absolute links to point to the HTTPS version. You can start doing this immediately; it's already supported! Since we will set up a 301 redirect, no links will be broken.

There are a few things which some sites are currently doing which will cause problems under HTTPS:

  • Including resources from non-secure pages. Some browsers will refuse to load this content, while others will load it but display a degraded security icon.
  • POSTing to non-secure URLs. If your website has forms which post to non-secure URLs, you need to update them to use https instead of http. Although we will set up a redirect, browsers will not necessarily follow this redirect when submitting forms. Additionally, browsers may give a warning if submitting a form which sends data to an insecure URL.
If your website does either of the two thing above, you must fix it before November 22nd, or parts of your website may break. If you use WordPress or another CMS, it is usually sufficient to update the URL in the admin panel.

We appreciate that this may be disruptive to many websites, and have not made the decision lightly. There are many reasons to use HTTPS by default, even for websites which don't contain sensitive information or collect passwords. This is an inevitable transition for the OCF at some point, and while it will be painful, it is easier to make it now than in another four years, when even more sites will be affected.

We estimate that there are about 90 OCF users (~0.3% of OCF users) with active websites which will be affected by the change. We'll try to contact them individually about the change. If you need assistance making changes to your website, don't hesitate to come in during staff hours or send us an email.