jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-23 03:44:00 -05:00
Code Issues Projects Releases Wiki Activity
Files
cfed43130bc9ab8a67fda01d467e56d603e69eb8
docs/content/pages/getting-started-with-github-pages/securing-your-github-pages-site-with-https.md
rlew-is 292f19e774 Remove duplicate word 'receiving' 
Under heading 'Troubleshooting certificate provisioning'
2021-12-25 17:47:28 +00:00

71 lines
4.8 KiB
Markdown
Raw Blame History

---
title: Securing your GitHub Pages site with HTTPS
intro: 'HTTPS adds a layer of encryption that prevents others from snooping on or tampering with traffic to your site. You can enforce HTTPS for your {% data variables.product.prodname_pages %} site to transparently redirect all HTTP requests to HTTPS.'
product: '{% data reusables.gated-features.pages %}'
redirect_from:
- /articles/securing-your-github-pages-site-with-https
- /github/working-with-github-pages/securing-your-github-pages-site-with-https
versions:
fpt: '*'
ghec: '*'
topics:
- Pages
shortTitle: Secure site with HTTPS
---
People with admin permissions for a repository can enforce HTTPS for a {% data variables.product.prodname_pages %} site.
## About HTTPS and {% data variables.product.prodname_pages %}
All {% data variables.product.prodname_pages %} sites, including sites that are correctly configured with a custom domain, support HTTPS and HTTPS enforcement. For more information about custom domains, see "[About custom domains and {% data variables.product.prodname_pages %}](/articles/about-custom-domains-and-github-pages)" and "[Troubleshooting custom domains and {% data variables.product.prodname_pages %}](/articles/troubleshooting-custom-domains-and-github-pages#https-errors)."
{% data reusables.pages.no_sensitive_data_pages %}
{% data reusables.pages.private_pages_are_public_warning %}
{% note %}
**Note:** RFC3280 states that the maximum length of the common name should be 64 characters. Therefore, the entire domain name of your {% data variables.product.prodname_pages %} site must be less than 64 characters long for a certificate to be successfully created.
{% endnote %}
## Enforcing HTTPS for your {% data variables.product.prodname_pages %} site
{% data reusables.pages.navigate-site-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.pages.sidebar-pages %}
3. Under "{% data variables.product.prodname_pages %}," select **Enforce HTTPS**.
![Enforce HTTPS checkbox](/assets/images/help/pages/enforce-https-checkbox.png)
## Troubleshooting certificate provisioning ("Certificate not yet created" error")
When you set or change your custom domain in the Pages settings, an automatic DNS check begins. This check determines if your DNS settings are configured to allow {% data variables.product.prodname_dotcom %} to obtain a certificate automatically. If the check is successful, {% data variables.product.prodname_dotcom %} queues a job to request a TLS certificate from [Let's Encrypt](https://letsencrypt.org/). On receiving a valid certificate, {% data variables.product.prodname_dotcom %} automatically uploads it to the servers that handle TLS termination for Pages. When this process completes successfully, a check mark is displayed beside your custom domain name.
The process may take some time. If the process has not completed several minutes after you clicked **Save**, try clicking **Remove** next to your custom domain name. Retype the domain name and click **Save** again. This will cancel and restart the provisioning process.
## Resolving problems with mixed content
If you enable HTTPS for your {% data variables.product.prodname_pages %} site but your site's HTML still references images, CSS, or JavaScript over HTTP, then your site is serving *mixed content*. Serving mixed content may make your site less secure and cause trouble loading assets.
To remove your site's mixed content, make sure all your assets are served over HTTPS by changing `http://` to `https://` in your site's HTML.
Assets are commonly found in the following locations:
- If your site uses Jekyll, your HTML files will probably be found in the *_layouts* folder.
- CSS is usually found in the `<head>` section of your HTML file.
- JavaScript is usually found in the `<head>` section or just before the closing `</body>` tag.
- Images are often found in the `<body>` section.
{% tip %}
**Tip:** If you can't find your assets in your site's source files, try searching your site's source files for `http` in your text editor or on {% data variables.product.product_name %}.
{% endtip %}
### Examples of assets referenced in an HTML file
| Asset type | HTTP | HTTPS |
|:----------:|:-----------------------------------------:|:---------------------------------:|
| CSS | `<link rel="stylesheet" href="http://example.com/css/main.css">` | `<link rel="stylesheet" href="https://example.com/css/main.css">`
| JavaScript | `<script type="text/javascript" src="http://example.com/js/main.js"></script>` | `<script type="text/javascript" src="https://example.com/js/main.js"></script>`
| Image | `<A HREF="http://www.somesite.com"><IMG SRC="http://www.example.com/logo.jpg" alt="Logo"></a>` | `<A HREF="https://www.somesite.com"><IMG SRC="https://www.example.com/logo.jpg" alt="Logo"></a>`
Reference in New Issue View Git Blame Copy Permalink