Do I need to serve my website over HTTPS?

TL;DR Yes. Yes, you do.

Serving your website over HTTPS means securing the connection between your user's web browser and your server using Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). TLS and SSL use a certificate to encrypt the traffic to ensure that it can't be intercepted or modified, protecting any sensitive information from being read and stopping your web traffic being intercepted and malware injected.

Troy Hunt, a leading security consultant, has an great write-up with some entertaining examples of what can be done to an insecure website, but the threat is very real and very serious. A malicious actor could intercept your website's traffic and inject malware, which could caue serious harm to your customers and significant damage to your reputation....and Google will block access to your website if it detects that it is being used to serve malware.

In the past, the only way that a user would know whether a site is secure or not was the padlock icon in the address bar, something that was easily overlooked. Those days are gone. Over the least few years, web browsers have been increasingly aggressive in flagging web sites as insecure, and it's easy to see a day coming when the leading web browsers will simply refuse to connect to websites that aren't served securely.

The good news is that securing your site is now free and easy. Both Let's Encrypt and Cloudflare provide free options that . Troy Hunt (again!) has a great 4-part series on adding HTTPS to your website using Cloudflare.

Warning: shameless plug ahead!

SiteSentry will monitor your websites to give you plenty of warning before an SSL certificate is due to expire and to make sure all your traffic is being directed to the secure version of your website. What price peace of mind? As little as $29 a month!