Manuel Alvarez

HTTPS Migration, best practices

Blog Post created by Manuel Alvarez Employee on Oct 23, 2017

Although there are many articles providing recommendations on how to migrate to HTTPS, few provide a concise, read-friendly list of actions. This blog highlight some of the top considerations when migrating to HTTPS.

 

At a high level, the migration process consists on:

  1. Updating the Akamai configuration to secure
    1. Make sure you update the TD map and setup the Origin Trust Management (aka FOSSL) settings
    2. As always, test configuration in Akamai staging first
    3. Recommended: make all SureRoute request over HTTPS
  2. Create a secure edge-hostname referencing your TLS certificate
  3. Test and deploy the new configuration in Akamai production using the new, secure edge-hostname
  4. Update the CNAME(s) to point to the secure edge-hostname
  5. Keep the site supporting HTTP and HTTPS for a period to identify any problems or content mismatch
  6. After the defined period, support only HTTPS traffic by adding a protocol redirect in your configuration
  7. Finally, enable HSTS and disable HTTP endpoints (more details below)

 

 

These are the must know and best practices when migrating to HTTPS

  1. Akamai will not downgrade protocols (transform HTTPS requests from clients to HTTP requests to the origin) as that is a security violation
  2. Secure configuration support non-secure traffic; that is, you can continue to make HTTP requests until the migration is completed. At that time, the best practice is to support only HTTPS (more tips below)
  3. New resources will be consumed at the origin to perform and terminate TLS handshakes. Please make sure to scale your infrastructure accordingly and/or work with Akamai to control unsupportable session spikes
  4. Pre-fetching as well as HTTP/2 multiplexing and Push require domains to be on the same TLS certificate and map
  5. Back end services (load balancers, micro services, service providers, etc.) must support a secure connection to comply with PCI
  6. Automate certificate management and include them on your regular audits. With Akamai front facing your properties, it is easy to forget when your origin certificate expire
    1. Akamai automatically rotates certificates deployed in the platform
  7.  Mixed content warnings and errors will be displayed if a secure page make any request over HTTP. This could be due to hardcoded HTTP links on the page or 3rd party objects calling additional objects over HTTP
    1. Third parties must be delivered over HTTPS. Work with your third parties directly as they might use a different domain for secure content
    2. Manually detecting mixed content on the page (resources requested over HTTP in a page requested over HTTPS) is time consuming and should be limited to page samples. Search for mixed content by:
      • Looking at your source code for anything that is hardcoded as http://
      • Loading the page in the browser and inspecting the browser main console. The console will display errors and warnings related to mixed content
    3. Use Content Security Policy (CSP) reporting mechanism to obtain a JSON report of mixed content on your pages. Implementation is as simple as adding a Content-Security-Policy-Report-Only header with a data collection endpoint URL in it.
      • Requires a data collection engine to receive and process these reports.
      • Reports include the page URL where the policy violation occurred and the sub resource URL that violated the policy
      • The CSP header will look something like: 
      • More information available on this blog and this blog
    4. CSP also provide a way to Instruct browsers to upgrade request to HTTPS even when the embedded link is HTTP by adding a directive like
      • Content-Security-Policy: upgrade-insecure-requests
      • Check this blog for more information
      • Browser support can be found here
  8. Monitor site/API usage during rollout. A sudden drop not correlated with historical traffic flows might indicate issues with the TLS negotiation
  9. If using GTM, move your GTM liveness test objects or load feedback objects to HTTPS
  10. Disable HTTP endpoints after migration is completed. There is no need to support HTTP connections anymore; thus, close port 80 if you can
  11. Enable HSTS once migrated to prevent browsers to eliminate HTTP to HTTPS redirect.
    1. HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that protects websites against protocol downgrade attacks and cookie hijacking. It is specified by a web application using a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
    2. When implementing, enable HSTS for a short TTL first and do not include the sub-domain option. This will allow you to revert in a short time if an issue is found
    3. Once testing is complete, Increase HSTS to a year, include sub-domains, and include the domain(s) in the preload list
    4. The existing preload list available at hstspreload.org
    5. More info on HSTS here
  12. Leverage OCSP stapling of certificates to reduce any round-trip penalty associated with validating the revocation status of the property certificate
  13. Reduce cutover risks by deploying the Akamai configurations and changing your CNAME to the secure network well in advance of the cutover. The secure network supports HTTP traffic
  14. Moving to the secure network will effectively purge your cache. Please contact your Akamai team if you have long tail content or a large footprint to identify a proper mitigation strategy. Some approaches to mitigate unhealthy traffic spikes against the origin could include:
    1. Use the Akamai a cache pre-warming tool
    2. Using Advanced Override Metadata to override TD settings and keep FreFlow (not-secure network) traffic over the FreeFlow TD map. See https://ac.akamai.com/docs/DOC-14506 
    3. Shift traffic in stages by selecting users on first visit (either randomly, geo location, or other client request attribute) so they start building the cache
  15. Lower level environment (e.g. Dev, QA) should work only over HTTPS to properly represent production environment

 

Please add pointers and ideas in the comments to keep this list growing.

 

Thank you Duncan McAllister, Akshay Ranganath, Jayaprasanna Jayaraman, and Kiran Nijalingappa for your contributions

Outcomes