SSL (https://) Pages

An increasing number of websites are switching their pages over to secure (https:// vs. http://) configurations, for practical reasons, and because search engines like Google are pushing hard for this change.

On the positive side, running your website as https:// provides security for any user information received through your forms, as well making it much harder for hackers to insert malicious code into our system. Additionally, browsers may soon mark 'insecure' http:// pages with a cautionary flag, or even make it harder to view them, and Google has threatened to downgrade insecure pages in its search returns (reducing your SEO). Finally, https:// security may increasingly be required for new browser features.

All UBCMS https URLs use the same SSL certificate, which is signed by a trusted certificate authority (e.g. not self-signed) so that it is trusted by default by pretty much every browser or search engine. The same certificate is valid for all buffalo.edu sites (*.buffalo.edu), including sub-domains like mgt.buffalo.edu and a handful of other hostnames we serve from the UBCMS.

The UBCMS supports https:// through SSL (secure sockets layer) protection, and this can be turned on in Page Properties, after you first test that your site functions properly in secure mode.

Make these changes in the Page Properties of your home page. They will then be applied to your entire site.

First, you would test your published site to make sure it works with https/SSL. Basically this involves just going out of your way to access your sites via https URLs instead of http URLs. They should already be working this way, just not requiring it or redirecting to it. Basic things to check and watch out for are:

• Does it work at all? We believe the entire UBCMS should now accept https URLs, but we have not double checked every sub-domain and site. Make sure your pages load and there is no certificate warning.
• Pay special attention to any <script>s or <iframe>s or <form> action attributes that have been added to pages using HTML Snippets or Embeds). Browsers will not load these insecurely from a secure page. If the browser's address bar says "https", the scripts and iframes must have https (or relative) URLs. So basically just make sure anything that might fall into this category actually loads when using an https URL. This is backwards compatible, so if you change them to https they will still work fine from http. If any of these applications are running on servers without https and a proper certificate, this can be hard to deal with, but in many cases it is just as simple as finding them and adding "s" to the URL. 
• Pay attention to embedded images and CSS, although these are not as critical. For now browsers do follow these even if insecurely referenced from a secure page, but this is bound to be disallowed in th enext stage of Web refinements. Again, this is only a concern for custom CSS, Embeds, HTML Snippets, etc. Images in the various UBCMS components will work fine.
• Pay attention to any absolute links you have written to your site with http instead of https (from UBCMS pages, and especially from outside the UBCMS). Relative links (external links without the http:// prefix, or UBCMS internal paths beginning '/content/...') do not need to be updated, because https will just be added automatically after you switch the setting, but get used to using https in the future. It will not be hard, as when you copy and paste from existing pages they will be https already.  

Once it appears that everything will work via https, switch the 'Require SSL Site-Wide' setting on in Page Properties and (re)activate that page. (Every page from there down will flip to https if accessed via http.) To be safe, turn this on for one of your smaller or less critical sites first and give it a few days. Or if you really want to play it safe (or need to test out any details of how this works), switch it on for just a section of a site or even a single page.