HTTPS versus HTTP for IU websites

• Best practice
• Policy
• Explanation
• More information

---

Best practice

All IU websites should use HTTPS, and HTTP requests to the same address should be redirected to HTTPS. For example, requests to http://site.iu.edu/your-page should be redirected to https://site.iu.edu/your-page. For instructions on how to add a redirect from HTTP to HTTPS in an .htaccess file, see Use the .htaccess file on Sitehost to redirect to a different URL.

IU Web Framework note: The IU Web Framework sites meet this standard by default. When created, IU Web Framework sites require HTTPS, and HTTP requests to the same address are redirected to HTTPS.

Policy

Encrypt sensitive data being transmitted to-and-from the system where possible to ensure the data is protected in transit; see Security of Information Technology Resources (IT-12).

Explanation

The primary reasons to use HTTPS are security and privacy. Using HTTPS encrypts all data sent between a browser and a website. You may be able to guarantee all the data on your website is public. However, some visitors may avoid your site if they know it is not using HTTPS.

Google places sites using HTTPS higher in its rankings than those that do not. Bing and Yahoo do not use HTTPS as a ranking factor, but Google is used in over 92% of searches. Additionally, newer versions of the Google Chrome browser replace "http" with "Not secure" in the address bar. (See http://example.com/ versus https://example.com). Firefox and Edge replace "http" with a "Show site information" icon which, if clicked, will inform the visitor that the site is not secure.

More information

• About secure websites and SSL/TLS certificates
• About secure websites and SSL/TLS certificates