Enabling HTTP Secure (HTTPS)
HTTPS is a protocol which encrypts HTTP requests (like the kind you just made to see this page) and their responses. This ensures that if someone was able to compromise a server between your computer and the server you are requesting from, they would not be able to listen in.
When you visit a site which has HTTPS support the url looks like this:
https://drupal.org/user/login
if you visit a site via simple (unencrypted) http, it will look like this:
http://drupal.org/user/login
Why is it important to you (and when)
HTTPS is typically used in situations where a user would send sensitive information to a website and interception of that information would be a problem. Commonly this means:
- Credit cards
- Passwords and Usernames
- Identifiable information (Social Security number, State ID numbers, etc)
- Confidential content
Especially in situations where you as the administrator are sending your Drupal password, or the FTP password for your server across, you should use HTTPS whenever possible to reduce the risk of compromising your web site.
How to enable HTTPS support in Drupal
Web Server configuration
- Get a certificate. many hosting providers set these up for you - either automatically or for a fee. Simply ask your hosting provider.
- Configure your web server. Here are the Apache instructions . Chances are, your webhost will do this for you if you are on shared hosting.
Drupal configuration
This will be changing as the functionality improves in Drupal 7, so consider this temporary
- Open up sites/default/settings.php and add $conf['https'] = TRUE;
Troubleshooting
Help! My web host doesn't support HTTPS
We should provide a link to a page where webhosts who do support HTTPS can list themselves