Site-wide SSL (https) - Secure Your Site

Provide your visitors and the UBCMS with a higher level of protections.

Flex UI Classic

Flex UI is available to all UBCMS users now. Learn more.

Please run the testing procedures described on this page, before you enable SSL/https for your entire site.

On This Page:

Last reviewed: March 4, 2022

Overview

Zoom image: Example of a browser insecure page warning. Example of a browser insecure page warning.

Example of a browser insecure page warning.

An increasing number of websites are switching their pages over to secure (https:// vs. http://) configurations, for practical reasons, and because search engines like Google are pushing hard for this change.

On the positive side, running your website as https:// provides security for any user information received through your forms, as well making it much harder for hackers to insert malicious code into our system. Additionally, browsers may soon mark 'insecure' http:// pages with a cautionary flag, or even make it harder to view them, and Google has threatened to downgrade insecure pages in its search returns (reducing your SEO). Finally, https:// security may increasingly be required for new browser features.

All UBCMS https URLs use the same SSL certificate, which is signed by a trusted certificate authority (e.g. not self-signed) so that it is trusted by default by pretty much every browser or search engine. The same certificate is valid for all buffalo.edu sites (*.buffalo.edu), including sub-domains like mgt.buffalo.edu and a handful of other hostnames we serve from the UBCMS.

The UBCMS supports https:// through SSL (secure sockets layer) protection, and this can be turned on in Properties, after you first test that your site functions properly in secure mode.

Testing Your Pages

Before you enable site-wide SSL, we strongly recommend you check for any issues that may cause conflicts.

  1. Plan to test any pages with custom scripts, iframes, external embeds and other customizations. Also include any pages that are generally mission critical or have proven fragile when testing in the past.
  2. For each page to test, go to the live page, but edit the URL to start with https instead of http (it may already, depending on how you got there). Make sure the page loads correctly. Pay special attention to the following:
    1. Check that a lock icon appears to the left of the URL in the browser’s address bar
      • The icon should not have a slash through it or an alert triangle symbol
      • If clarification is needed, when clicking the icon, an item in the menu should say “Connection Secure” or “Connection is secure”
      • More info specific to Chrome.
      • More info specific to Firefox.
      • You do not need to check this in multiple browsers; it’s just that it shows a little differently in each
    2. Check for no missing images.
    3. Check that fonts look correct.
    4. Check that any special iframes or scripts from other sites load and function correctly.
    5. Make sure any external embeds work correctly.
    6. Advanced, if possible: Check the browser DevTools console for any warnings about mixed content, failed requests, or other problems.
  3. When all pages you test load correctly with an https URL, you are ready to enable 'Require SSL Site-Wide.'

Enable Site-Wide SSL

Zoom image: Require SSL setting in page Properties. Require SSL setting in page Proeprties.

Require SSL setting in page Properties.

Make this change in your home page's Properties. It will then be applied to your entire site.

Select or open your home page, then open Properties (shortcut p), then look in the Advanced tab for the Require SSL section and select the 'Require SSL Site-Wide' setting.*

Remember to republish your home page to make this live.

* There is no need to adjust 'Require SSL (HTTPS-only)' in the dropdown. This value is over-ridden when you select the Site-Wide setting.

This will require SSL on all child pages, including child pages that you may consider parts of a different site, such as academic departments or research/clinical centers. Be sure to test those sites too, or enable this feature in those areas first.  

Additional Notes

  • To test that the change has been enabled, you can try manually switching some URLs of your site from https to http. They should immediately redirect back to https.
  • This setting will require SSL on all child pages, including child pages that you may consider parts of a different site. So if your site actually contains other sites (such as a school site with department sites within it), make sure to test those sites, too, or enable this in those areas first. You do not need to activate this setting separately for child pages/sites if you prefer just to do it at top page of the topmost site.
  • If you find a problem during testing, the cause is probably that custom code on the page has specifically used an http URL and that code will need to be changed to https.
  • If you find a problem after making the change live, you can switch off the requirement (and republish your home page) while you work on a fix. Although don't be surprised if the redirects to https are cached in browsers for a short time.

Learn More

Was This Information Helpful?

(Required)
(Required)
(so we can thank you or request more details)
(Required)
(buffalo.edu addresses only please)
(Required)