In the past adding a SSL certificate to a website has been an expensive and complicated operation, but there are many good services available today making it cheap and easy to secure a website.
Using a SSL certificate with a domain allows users to access a website using an encrypted connection between the browser and a server. If you access a website from a public wifi hotspot that does not require a password, the data between your device and the wifi router can be compromised by being intercepted by someone else on the network. Accessing websites using https greatly reduces this vulneribility.
A major drawback to implementing better security has unfortunately been cost. Previously on Heroku, using a certificate required the addition of a $20/mo add-on. This doesn't make a lot of sense for smaller projects or primarily static sites. In May, Heroku annouced a new SSL Beta which makes using a certificate free. This is great news and what got me interested in figuring out how to setup a certificate on my site.
Another interesting project is Let's Encrypt which has significantly reduced the complexity around acquiring a certificate. A command line tool is provided which distills creating a certificate down to a series of prompts asking for a little bit of information about your website. The certificate is saved to your device and you then can move it to your server or service where you're hosting your website.
I set down the path of creating my own certificate using Let's Encrypt and wiring it up to my Heroku project using their SSL add-on. I hit two roadblocks, one was that while it's better than the $20/mo add-on, using the SSL Beta requires at the minimum a $7/mo Hobby account. Since I'm using this for my blog, which I try to run using free services, it felt like overkill. The other problem was that in it's current state, Let's Encrypt certificates must be renewed every three months. This means keeping everything up and running requires some vigilance or investment in automation.
At this point I happend to learn about CloudFlare, a free, hosted solution for SSL. Setting up your site with CloudFlare is simple, quick and easy. I was able to configure CloudFlare in several minutes without having to touch my Heroku configuration. After waiting for the DNS changes to propagate, I had a safer and more secure website.
Here's what I did:
Add a site. Here you'll enter a root domain, e.g., foo.com. CloudFlare will scan DNS records for the domain and find relevant information, in my case, I had A and CNAME records, benjaminturner.me and www.benjaminturner.me.
When the scan is complete, CloudFlare will provide new Nameservers. These must be updated with your domain registrar, in my case I was using NameCheap. Log in to the registrars interface and update existing Nameservers to point to CloudFlare's.
That's it. At this point, you'll just need to wait for all the DNS changes to propagate. For free accounts this can take up to 24 hours.
At this point, you'll have CloudFlare configured correctly, but your website may not be. One problem I had was an externally hosted image I was linking to on every page of my site. It was hosted on http, not https. All links on a site should use the https scheme, otherwise you won't see the nice "lock" icon in the browser's URL bar.