We have been encouraging all store owners to move to https over the last year or so. An ssl certificate with warranty can be had for as little as £39.99 per year or even a Let’s Encrypt non-warranty ssl for free. So there is no excuse for not serving all pages over https.
Magento has two base urls. A secure and a non-secure. By default entering https://mydomain.com/ into the secure box will add ssl protection to your My Account, Shopping cart and Checkout pages. In order to secure all other pages you only need to add https:// to your non-secure base url. Now all pages will load over https and you will be rewarded with a padlock in the URL bar on your home, category and product pages.
However, one issue can come back to haunt you. If you have been adding links or images to your CMS pages or template phtml files using http:// your browser will throw a warning. This page is not secure. For an ecommerce site this is not ideal.
If you have a large site with thousands of CMS blocks / pages this is nightmare that can take many man hours to fix.
However, there is a w3.org validated tool to address this issue this is :
https://www.w3.org/TR/2015/CR-upgrade-insecure-requests-20151008/#preference
by adding a header
<meta http-equiv=”Content-Security-Policy” content=”upgrade-insecure-requests”>
all http requests are pre-requested as https and we get secure page.
Google have provided a neat example of this here:
https://googlechrome.github.io/samples/csp-upgrade-insecure-requests/
In Magento you can quickly add the header here:
Magento 1:
Magento 2:
