What do we mean by “secure pages” and HTTPS?
When you go to a web page, you are very likely using the “http protocol”. This is what the “http” at the beginning of a url stands for. By visiting that url, you are sending a request to a server for a page: the html document is returned which tells your browser what should be on the page and how it should look. The “http protocol” is the common set of definitions of how the request and response is formatted.
“https” doesn’t change the way the http request works, but it does add an additional layer of encryption. This means that if someone did somehow manage to intercept http requests, they would have to break this encryption as well to get to the data being transferred.
We require https is used for all donation pages, as credit card details are being transferred which is particularly sensitive information. It is recommended that all pages, including advocacy pages, use https.
Can I just change “http” to “https” for every page then?
Yes and no. For a page to work under “https”, the server responding to the page request and the domain used must have an SSL certificate set up. All of our domains, (e.g. ca.engagingnetworks.app and us.engagingnetworks.app) have certificates. You can even add a subdomain of your choice. On the urls you use to direct people to your action (on your site, on affiliate sites or on social media) just add an “s”.
However, every resource linked on a secure page must also be requested under “https”.
So if your html template contains something like this…
<link href="http://myorg.net/css/style.css" rel="stylesheet" type="text/css">
…which is a very common way of applying styling from your own website to your action pages, the stylesheet will actually be requested from the server your website is on like this:
<link href="http://myorg.net/css/style.css" rel="stylesheet" type="text/css">
If the server and domain do not have an SSL certificate set up, then the stylesheet will not load on your action page: if your browser asks for something with “https” and it is only available as “http” then the browser decides (rightly) it wouldn’t be safe to load it.
If your main stylesheet doesn’t get loaded, you may be looking at a page like this:
How do I avoid this?
If you do wish to use “https” for your action page and you are seeing issues like this, you can find out how to make a secure html template here.
What if I’m using my own subdomain?
If you have set up a subdomain on your own domain and pointed it to our server, you can still use “https” for your actions. You just need to set up an SSL certificate for your subdomain, You can find out more here.
HTTPS and iframes
This behaviour by browsers also impacts embedding actions as iframes (or embedding action widgets).
Browsers will block resources loaded via “http” when you are viewing the page under “https” for security reasons. This also extends to iframes. So if you embed your page as http:
<iframe src='http://ca.engagingnetworks.app/page/6141/action/1' frameborder='0' width='400' height='300'></iframe>
…and embed it on a page on your own website, and that page is viewed with “https“, the iframed page will not appear.
To resolve this, we can just add an “s” as long as you are able to view the embedded page in https:
<iframe src='https://ca.engagingnetworks.app/page/6141/action/1' frameborder='0' width='400' height='300'></iframe>
HTTPS and action redirects
When you use an action redirect on a campaign, the decision whether the second campaign is “http” or “https” depends entirely on which is used for the first action in the chain. So if my first action is a petition and I visit it under “https”, the action redirect will send me to the subsequent “tweet to target” action as “https” too. So I’d need to make sure the html template used in the tweet to target action is also secure.