Say Goodbye to HTTP

May 11, 2021

When I created this personal website back in 2018, it was supposed to be my small pet project to learn React and use it in a real life example. That mission was of course accomplished. A quick and simple React app with only static text and pages was created and it served as my personal portfolio since then.

A lot of the website has changed over the years, mostly text updates and UI changes. Background image was updated for a "supposedly" better visual; new projects were added and old projects were removed from the site; a blog page was created when I suddenly had a desire to write or plan to write, so on and so forth. However, in the midst of all those changes, one thing has remained the same - the site is always only on HTTP.

HTTP, bad for security, bad for business. As Chrome browser started enforcing HTTPS rule since version 68, an obvious, in-you-face "Not Secure" warning icon has been added in front of the url address bar whenever it visits a HTTP only site. With Chrome browser version 90, it starts using HTTPS as the default connection protocol for a user typed or unfinished url in the address bar - another push to say goodbye to HTTP, and say hello to HTTPS.

But then the questions came to my mind. Does my little personal website really need HTTPS? Do I really want to spend that effort to get my website on HTTPS? For one thing, it's not a e-commerce site and it doesn't ask any user (if any) to submit any information. For another, it's totally usable and visitable even with just HTTP support. 

Believe it or not, those questions may not be the main reasons that this site has stayed HTTP only for 3 years, but they certainly played a big part in stopping my fingers on the keyboard every time I see that "Not Secure" warning icon on my site address bar and wanted to do something about it. The other factor is certainly my content with the site as it is and lack of desire or time to update it.

Util now.

Just to be clear, and to answer my own questions, there are certainly multiple benefits of moving to HTTPS, even for a small scale personal website/blog. 

  1. It's easier than ever. A lot of web hosting service provides HTTPS out of box, or with very little configuration effort. 
  2. It's good for SEO. Google has announced even back in 2014 that HTTPS is a ranking factor in its algorithm. HTTPS has become more important in search ranking, with sometimes even functioning as a tie-breaker when it looks at two site offering similar or same information. Your site, if you care, could rank higher with HTTPS support.
  3. It looks and feels better. The "Not Secure" warning icon that Chrome puts in there is simply unpleasant. Imagine every time you come to your site, which you have spent a lot of time crafting and creating, you are faced with a reminder from Chrome that it's not good enough because it's not secure.

With that said, and some extra time for me to spare, I finally decided to spend some effort to get my site on HTTPS. The process, to my pleasant surprise, which is another way to say to my ignorance on this subject, turned out to be super easy. 

As my code repo is on Github and my site is hosted with S3 static website hosting, there are 2 options I can choose from to get on HTTPS:

  1. One is to deploy my site to Github pages, and connect my custom domain to it. Github pages gives HTTPS support for the site out of the box so that's automatically given. The con? The code repo has to be public. Not much of a con I will say, given that there is little to none sensitive information in the repo.
  2. Another is to add a CloudFront distribution in front of my website S3 bucket. All it takes is some button clicks and quick deployment time. AWS is aware of this use case well enough to have an instruction article on it.

As indecisive as I can be, I went with the second option in a breeze. Github pages is awesome and I have other side projects hosted on there as quick demos. But for this case, my site is already hosted on S3 and it makes sense to do as little as possible to just put CloudFront in front it. 

And there you have it. My site is finally on HTTPS. Does that mean a new era for my little personal website? Who knows. Maybe hardly so. But at least I can finally say - Goodbye, HTTP!