Google Chrome Begins Requiring All Pages with Forms to Use HTTPS
October 20, 2017
Google Chrome will show “Not Secure” warnings on pages that have forms that are not running under HTTPS.
This includes any page with an input.
<input type="email" id="email" name="email" placeholder="Email*" value="<?php echo htmlspecialchars($_POST['email']); ?>">
Beginning in October of 2017, Chrome 62 will display “Not Secure” in the address bar of any page that accepts user input and is not using SSL.
Way back in August of 2014 Google began suggesting that sites using HTTPS may receive a ranking signal. At the time Google even called for HTTPS everywhere on the web. In other words, all communications should be secure by default.
Virtually every site has an input of some sort. Be it an input for an email address on a newsletter subscription form, a simple contact form or a search (box) input.
You could choose to ignore this implementation and hope visitors to your site don’t notice or use a browser other than Chrome. However the smart move would be to upgrade your site site to HTTPS.
In a post from 2016, Google said this:
“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”
How to Implement HTTPS
HTTPS requires an SSL (secure sockets layer) certificate. Compared to several years ago, SSLs are inexpensive and in many cases free.
Most options for an SSL depend upon where your website is hosted.
- Namecheap offers what they call a PositiveSSL for only $9.99 a year. For most non-ecommerce sites, the PositiveSSL is sufficient.
- Let’s Encrypt offers free SSLs. This is probably beyond the technical capability of many site owners, however for someone familiar the ACME protocol, it’s a painless process.
- Many web host providers offer free installation of Let’s Encrypt.
- CloudFlare provides a shared SSL with basic free accounts. You have to enable this by clicking the crypto icon and choosing the flexible option.
- SSL for Free uses Let’s Encrypt and promises an SSL at no fee.
Things to Keep In Mind
If you decide to purchase your own SSL, you will also need a dedicated IP address. Dedicated IP addresses run about $4/mo depending upon where your website is hosted.
It’s a good idea to purchase more than one year should you buy an SSL. The validation and installation process is a pain to repeat each year.
Don’t forget to change the calls to images, CSS and JavaScript files. All of these need to be called using HTTPS.
If after you get your SSL installed you receive insecure page errors, check out Why No Padlock which will output a list of issues causing the problem.
Leave a Reply