Merely securing a website
with a valid SSL/TLS certificate from a trusted CA
is not enough to get all-round protection.
SSL is a complex technology,
which has a number of features (key encryption algorithm, secure ciphers,
HSTS, and much more) that can do the following:
- Enhance the security of your website’s visitors.
- Improve your website performance.
- Harden the security of all server’s encrypted connections
Enabling these features can improve your websites’ search engine rankings:
- “Redirect from http to https” sets up a permanent,
SEO-safe 301 redirect from the insecure HTTP
to the secure HTTPS version of the website and/or webmail.
- HSTS prohibits web browsers from accessing the website
via insecure HTTP connections.
- OSCP makes the web server request the status of the website’s certificate
(can be good, revoked, or unknown)
from the CA instead of the visitor’s browser.
- TLS versions and ciphers by Mozilla
harden connections secured with SSL/TLS certificates
(website, mail, Plesk, and so on).
Caution: Before turning these features on,
ensure that your website can be accessed
via HTTPS without any issues.
Otherwise, visitors may have trouble accessing your website.
Note: If you have already set up HSTS or OCSP stapling
in your web server manually,
delete these customizations
before turning on HSTS or OCSP stapling in SSL It!.
To enhance the security of your websites and encrypted server connections:
Secure your website with a valid SSL/TLS certificate from a trusted CA.
Go to Websites & Domains > your domain > SSL/TLS Certificates.
If you have upgraded to Plesk Obsidian from earlier Plesk versions,
turn on “Redirect from http to https”.
The redirect will be also applied for webmail by default.
On clean Plesk Obsidian installations,
the redirect for the domain and webmail is already turned on by default.
Note: If your webmail is not secured with a valid SSL/TLS certificate
or you do not have any webmail,
clear the “Include webmail” checkbox.
Turn on HSTS.
Make sure that an SSL/TLS certificate
that secures your website will be valid
during the “Max-age” period.
Do the same for subdomains and the webmail subdomain.
Otherwise, if the SSL/TLS certificate expires earlier
than the “Max-age” period and HSTS is turned on,
visitors will not be able to access your website.