Temple in South Korea, 2019, Photo Credit: Bryan Hughes
Now that encryption is fast, and free, and we know the risks of not using it, there is literally no excuse not to use HTTPS only for every application on the Internet. Literally every application, even for static pages that contain no sensitive information. For everyone (there is no class of user that does not need protection on the internet). Always (there is no time limit, and you can auto-renew your certificates; you don’t even need to really think about it).
Every public website and web application (including APIs) should force the use of HTTPS (and disallow connections using HTTP). This can be done using security headers in your code or forced on the server. Or both.
There is no reasonable excuse for not using HTTPS only for public-facing applications. Feel free to argue with me in the comments. :-D
Up next we will summarize “Part 5: secure coding” of this series.