Your web sites can be configured to support the secure form of http, which operates over Transport Level Security (TLS) and is known as https. When a web site is accessed over https network traffic is encrypted to keep it secret and to ensure that it isn't tampered with, and web browsers automatically confirm that they are connecting to the correct server and not to an imposter.
You set this up by obtaining a cryptographically-signed web server certificate from a public Certification Authority. Many such authorities are available, but currently only Organisation Validated (OV) certificates issued by the UIS certificate scheme can be used with the MWS.
You set this up for a particular site by doing the following:
- On the web sites page on your panel (Server Settings > Web Sites), select the padlock icon against the relevant web site
- On the resulting page, click 'Generate TLS certificate request (CSR)'. After a short pause the certificate signing request will be displayed:
- Select this (including the -----BEGIN CERTIFICATE REQUEST-----/-----END CERTIFICATE REQUEST----- lines), copy it to the clipboard and paste it into the request page for the UIS scheme at https://tlscerts.uis.cam.ac.uk/tlscert/new. You must request an Organisation Validated (OV) certificate; identify the server type as 'Apache'.
- Once your certificate is issued, save it in a file. Return to your site's certificate page (Server Settings > Web Sites, select the padlock icon against the relevant web site), select 'Choose file' and locate the file containing your certificate, and click Submit.
Once you have completed this process you will be able to access your site using URLs starting 'https://', and attempts to access your site with 'http://' URLs will be automatically redirected to the corresponding 'https://' ones. You might also want to consider implementing 'HTTP Strict Transport Security' (HSTS).