Kayce Basques

Always protect all your websites with HTTPS, even if they don't handlesensitive communications. In addition to providing critical security and dataintegrity for both your websites and your users' personal information, HTTPS isrequired for many new browser features, especially those required forprogressive web apps.

HTTPS protects your website's integrity

HTTPS helps prevent intruders from tampering with communication between yoursites and your users' browsers. Intruders include both intentionally maliciousattackers and legitimate but intrusive companies, such as ISPs that inject adsinto pages.

Intruders exploit unprotected communications to trick your users into giving upsensitive information or installing malware, or to insert their ownresources. For example, some third parties inject ads that can break your userexperience and create security vulnerabilities.

Intruders exploit every unprotected resource that travels between yourwebsites and your users. Images, cookies, scripts, and HTML are allexploitable. Intrusions can occur at any point in the network, including auser's machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.HTTPS makes it harder for intruders to get access to your sites' resources.

HTTPS protects your users' privacy and security

HTTPS prevents intruders from passively listening to communications between yourwebsites and your users.

One common misconception about HTTPS is that the only websites that need HTTPSare those that handle sensitive communications. In fact, every unprotected HTTPrequest can potentially reveal information about your users' behaviors andidentities.

A single visit to one of your unprotected websites might seem benign, but someintruders look at your users' aggregate browsing activities to make inferencesabout their behaviors and intentions, and tode-anonymize their identities.For example, employees might inadvertently disclose sensitive health conditionsto their employers just by reading unprotected medical articles.

HTTPS is the future of the web

Powerful new web platform features, such as taking pictures or recording audiowithgetUserMedia(), enabling offline app experiences withservice workers,or buildingprogressive web apps, require explicit permission from theuser through HTTPS. Many older APIs are also being updated to require permissionto execute, such as theGeolocation API. HTTPS is a key component of thepermission workflows for both new and updated features.