HTTP to HTTPS Migration: Going Secure

Update: Since writing of this post, we have successfully moved 100% of our POS traffic to HTTPS.

Wego takes security of its infrastructure as a top priority and to make our customers feel secure about their browsing experience on the web with us, we started the transition of our domains to HTTPS.

As Wego has over 50 localised domains, its a huge task to migrate all domains to HTTPS. Web front end for all domains running from the same application serving both HTTP and HTTPS content simultaneously was a big challenge. The biggest challenge was the Mixed Content Issue, to make sure we were able to load all content for both types of protocol without breaking one for the other. Migration of Images, secure script loading, Google Tag Manager, Ad campaigns, API(s) and other services that we integrate with all needed to be secure for them to work.

We started off by migrating all our subdomains on wego.com to HTTPS, which constitutes around 60% of our global organic traffic. With each domain having its unique features and custom sections, we started of with changes from the backend which would support url protocol per domain to avoid mixed content issue or reduce the impact to the least. As every time mixed content is requested, browser can halt the loading, causing the website to be unresponsive and deliver poor user experience. Without getting into the technical details of all the changes that were required, migration to HTTPS is more work than one would think of just making HTTP, HTTPS.

Once we were through with setting up serving the correct content based on domains. We started our work on CDN, From per Domain certificate to Wildcard to SAN certificate there are more options than types of oranges that you can buy off the shelf. Amzaon Cloudfront is great to work with Amazon ELB but we don't use Cloudfront as our primary CDN other than to serve assets from it. The important bit of challenge with HTTPS was if the CDN goes down due to any unforeseen reasons we can't have our website running like for HTTP where we can bypass the CDN to relay traffic straight to our infrastructure due to the certificates being part of the CDN. For this reason we had Cloudfront configured as a pay-as-you-go backup CDN for HTTPS traffic, the best part is it provides the certificates for free to its user not costing us double to have certs in two places.

Image for post
Image for post

After having all the setup and migration steps configured and ready to enable each domain to HTTPS, we started off with one domain at a time as it is hard to satisfy the royalty, for king's wrath is always more than its blessing. Cutting on the pun, SEO is an important part of the web and is very critical to our business as well. Though you can find a lot of positives about how HTTPS can help with SEO all seem to drill down on your hopes that you might not see any positive impact. Not so surprisingly we came to the same conclusion as well that there was no positive impact to our rankings rather one of our major domain took a slump after it was migrated.

All in all the migration has been smoother than we could have expected considering the amount of work that was done to add that “S" to the protocol. With majority of our traffic on HTTPS we are looking forward to making more and more domains and services secure as we move forward while continue to provide better experience.

Originally published at geeks.wego.com on August 29, 2016.

Coder during the day, squash player in the evening and cricketer over the weekends. Doubts are the ants in the pants, that keep faith moving

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store