SSL certificates and https

**PeteA** · 20 February 2013, 01:35 PM

Hi - I have just purchased a Rapid SSL certificate from my host for my website - this is for PCI compliance as I take payments on my website. However I'm still failing the Trustwave PCI scan.
How do I make people visiting my website go to the home page as https: rather than the default http: ?

I've worked out how to get people to go to the https: version of my payment page by typing in the address in full rather than linking to the page. Sorry for the ramblings - Xara is great for basic websites but this PCI compliance is turning out to be a nightmare. I can't find any info about SSL certificates etc etc using Xara. Can anyone help? thanks

**gwpriester** · 20 February 2013, 03:06 PM

I am not very knowledgeable about this but it may involve a script and or .htaccess file

Here is a link that may be helpful

http://stackoverflow.com/questions/8...s-secure-https

**pauland** · 20 February 2013, 03:25 PM

Gary's link is good. You effectively need to switch any access via http: to be a https: access.

This isn't my strongpoint writing rewrite rules. Strictly speaking it's not at all a Xara issue.

I did a Google on "http to https" and there was a ton of advice. Have a play and see if it does the job.

Most of the solutions switch the http: to https: as a blanket solution for the whole site, which is no bad thing for a site that is selling stuff.

**PeteA** · 20 February 2013, 03:41 PM

Ok great - very useful - thanks for your help. I guess it's the step up from a Xara site to a "pro" site with all the coding stuff

**gwpriester** · 20 February 2013, 06:18 PM

Thanks Paul

Pete - from what I could see it is not rocket science. Xara website design applications have been designed both to make it easy to intuitively design your site and with the use of placeholders, to add scripts and widgets to your site without all the coding stuff.

**PeteA** · 20 February 2013, 06:30 PM

thanks Gary - it's the PCI Compliance that has caused the problems - the scans/questionairres are the same for me (sole trader) as they are for someone like amazon!

**pauland** · 20 February 2013, 06:59 PM

If you're in the UK you probably pay more tax than Amazon too... ;-)

You're probably going to need FileZilla or similar to be able to mess with .htaccess

**Egg Bramhill** · 21 February 2013, 04:51 AM

Hi Pete,

It's a while since I used a SSL on a site but if I recall correctly you don't need the whole site to be https, just that part of the site dealing with sensitive content such as credit card details etc. By splitting the site into http and https sections you reduce the risk of falling fowl of security risks. For example having a graphic load from a non ssl section of the site etc.

I believe there are good reasons not to have the whole site on an https section, one of the obvious being caching as I believe https pages can't be cached. For example Tesco or Wallmart sites are not https until such time as you go to checkout.

I've never used Trustwave PCI scan so I can't comment but what errors is it throwing up?

**pauland** · 21 February 2013, 11:06 AM

I believe there are good reasons not to have the whole site on an https section, one of the obvious being caching as I believe https pages can't be cached. For example Tesco or Wallmart sites are not https until such time as you go to checkout.

Equally you will find that Amazon is wholly https.

In this case I think the simplest solution is the better solution, so I'd go with making the whole site https. That should save working out exactly which page needs to be https and which doesn't.

If it's good enough for Amazon, I'm sure it's good enough for PeteA.