Something that new Drupalers struggle with is getting their site secured with SSL, the little lock in the browser or https://. Their first reaction is, “There has to be a module for that” and there are a few modules for getting your site HTTPS friendly, but there is a much easier solution.
No modules, just update your .htaccess file
The simplest and easiest way to add HTTPS to your entire website is by editing you site’s .htaccess file. No modules, no overhead, just a few lines of code and you’re all set.
You can add the following below “RewriteEngine on”. I usually put it below the chunk that starts with “# To redirect all users to access the site WITH the 'www.' Prefix”. Note, if you have any prefix rules enabled already, you’ll want to comment those out first since the new code below with include a prefix.
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The code above adds HTTPS if it’s not already present and it will also add “www” as well if it’s not already there.
Why full site HTTPS is the new way to go
As Google says, security is a top priority. Your site should probably adopt the same mantra. 21st century people are getting very sensitive to how their information is being shared and collected. Additionally with all the recent security breaches, people want to feel more secure.
The old argument for not using full site HTTPS was that it can slow down a site due to it having to constantly encrypt the information being passed between server and browser. But that was when servers were a lot slower and the normal internet connection was through a 56K dial-up modem. In today’s world, it’s difficult to detect any latency at all when comparing SSL and non-SSL versions of a site.
Another benefit for full site SSL is SEO. According to Google, it’s giving ranking boosts to sites using SSL/HTTPS websites. While this boost may only be minor, I’ll take any boost I can get.
HTTPS using Drupal Modules
It’s somewhat common in ecommerce or private sections of a website to switch between HTTP to HTTPS. Drupal offers a few modules for accomplishing that.
Secure Pages
In Drupal 6, Secure Pages was my go-to SSL module. It has over 26K reported installs. If offers a simple user interface for defining your secure and non-secure paths.
In Drupal 7, it’s a bit of a work in progress and doesn’t work reliably without a few core patches. It is possible to get it working, just be prepared to spend some time testing to make sure it switches properly from HTTPS to HTTP and vise versa. Since it does require a Drupal core patch, you need to remember to reapply these patches every time update Drupal core.
Other Drupal SSL modules
There are some other SSL modules that I’ll quickly mention:
Custom SSL Redirect
Has a bit of similarity with Secure Pages, but it only lets you define the secure and non-secure paths. Be careful when installing. If you don’t have SSL on your server yet, it will automatically try to redirect to an HTTPS version and continually error out - locked me out of my site so I had to disable is via drush.
Ubercart SSL
The Ubercart SSL module is for securing all of Ubercart’s shopping cart paths
Secure Login
The Secure Login module enables HTTPS primarily for the user login form, but can be configured to securce any form within the site.
Problems with switching between HTTPS and HTTP
Some problems I’ve seen with Ubercart and Drupal Commerce is that switching between HTTPS and HTTP paths can potentially lose checkout sessions, meaning that the user’s shopping cart appears empty after the site switches to HTTPS. This can be very frustrating and usually due to a configuration issue somewhere, but it can be easily solved by using full site SSL.
Conclusion
Overall, achieving full site HTTPS using the code above is very easy and it appears to only add benefits to your site’s security, your users’ security, your site's speed (one less module installed) and your SEO.