We did it!
Just as we planned, we baby-stepped our way there over the last few months. All URLs on CodePen are now HTTPS. It went a little something like this:
- We secretly prepared for it for the last few years by making all new things HTTPS-only. We moved Asset Hosting to all-HTTPS. Big features like Projects were HTTPS from launch.
- We let everyone know that we were going to do it.
- We started forcing new Pens to start life as HTTPS, so nothing surprising would happen with newly-created work.
- We started forcing more and more pages to be HTTPS-only.
- We added warnings to the UI for External Resources about HTTP assets.
- We ran a massive migration to change URLs all across every Pen to link directly to equivalent HTTPS resources when those were available, fixing over 10 million URLs.
- We released a tool to help our members find potentially problematic Pens.
- Finally, we flipped the switch and forced the entire site. We're also using CloudFlare to help us upgrade requests to HTTPS in case we missed anything.
There was one fairly painful little bit.
One of the big benefits of going all HTTPS is enhanced security for you. When every page of the site is HTTPS, that means you can have a secure-only session, unlike before where we needed to give you a secure and non-secure session, so you'd be logged in whether or not the page was HTTPS.
When we deployed the code that started requiring a secure session, we knew that we would log everyone out, and put up a warning about that. What we didn't anticipate is that even if you logged back in, you might experience a weird sort of half-logged in state where some things still didn't work quite right. It didn't help that we had a deployment issue where 1/12 of our web servers didn't have the right code. That should all be resolved now. We apologize to everyone that was affected by login issues when we made this change.
But we're there!
We actually beat our goal of June 1st by one day 😉
We recorded a podcast all about all this too, if you're extra-interested.