It's been a while now (7 months) since we flipped the switch to make CodePen entirely HTTPS. I figured we'd check in with a progress report.

These are things that are aside from the standard benefits of HTTPS. As Kayce Basques explained in Why HTTPS Matters:

  • HTTPS protects the integrity of your website
  • HTTPS protects the privacy and security of your users
  • HTTPS is the future of the web

What are the user-facing benefits?

One of my favorites is that we don't see Pens anymore where people had to code an HTTPS check into the Pen itself and display messaging like "Please look at this Pen over HTTPS."

People would do that because they were using an API (e.g. getUserMedia()) that required HTTPS to work.

We also had quite a few users using browsers or browser extensions that would force HTTPS across the web. That was a pain point before we went all-HTTPS, because we had some pages that forced HTTP. Again, it's all so much easier with one, better protocol.

Another benefit: moving to HTTPS has cut down on the chances that a 3rd party (for example, an ISP) could tamper with the contents of the page (either adding stuff or blocking stuff), which makes for a more consistent CodePen experience overall. This was the cause of more support requests than you'd imagine!

Has it been hard to maintain?

Nope. We'll need to stay on top of renewing the certificate and making sure it's installed and all that, but that's no big deal for us, as we're doing server work all the time.

It's arguably been easier for us, because now we have a single non-negotiable protocol we're serving the site over. Before, when it was optional, there was much more dancing around forcing it on some pages, not on others, and fixing little bugs that crop up because of that.

Any problems?

The only issue that comes up is the occasional user who is linking to a non-secure script from a place that doesn't offer an HTTPS alternative (remember we auto-upgrade requests when we can). In those cases, the Pen will break, which is a bummer.

That external script either needs to be moved to somewhere that does support HTTPS (like our asset hosting) or the existing host needs to start supporting HTTPS.

We've heard from a handful of angry users with this problem, but they were far outweighed by users with fixed problems, and the invisible improved experience for all.

The Future

HTTPS is a prerequisite for HTTP/2, so we'll be able to move on that as soon as we can. We're looking at HSTS as well.