By Gil Vidals, , HIPAA Blog, Resources


One of the easiest ways to protect the data of those who visit your website is by enabling HTTPS. HTTP, or Hypertext Transfer Protocol, is what web browsers use to communicate with web servers to display information; this traffic, however, is vulnerable to interception and “sniffing.”

HTTPS, on the other hand, takes advantage of SSL Certificates to authenticate website traffic as legitimate, and ensure that data transferred between the site and the user is encrypted.

Data transferred using HTTPS travels over a secure tunnel known as Transport Layer Security. TLS uses three primary methods of securing your data:

First, the connection must be secured by symmetric cryptography. Essentially, when you initiate a connection, a “handshake” occurs between your computer and the web browser, during which the method of encryption and compression are agreed upon by the two computers.

Second, the identity of both parties can be verified using public-key cryptography.

Third, the integrity of the connection itself is guaranteed, as each packet of information uses a message authentication code to detect and prevent data loss/data alteration.

How to Enable HTTPS

So, how do you enable HTTPS on your website?

The setup is actually pretty straightforward. Organizations like LetsEncrypt offer the necessary certificates free of charge. If you’ve got shell access to your webserver, several certificate management clients exist which can automate the issuing and installation of certificates. Certbot or GetSSL are some examples of these clients.

If you’re currently using a hosting provider, that’s not a problem either. Many providers offer support for enabling HTTPS and can request a certificate and install it on your behalf. While you can manually upload the certificate, HTTPS support is becoming increasingly widespread.