Skip to content

Domains

TLS

Sites on the VIP Platform must have a TLS certificate installed in order to be launched. TLS is a requirement because every site uses a custom domain for both the front-end and admin area, and to ensure each site has a secure admin area and login process.

Note

SSL and TLS are both cryptographic protocols, and TLS is an evolution of SSL. However, TLS is sometimes referred to colloquially as SSL, such as “SSL certificate”, even though all versions of the SSL protocol are disabled at VIP.

TLS certificates can be procured and installed as a self-service feature of the VIP Dashboard.

VIP’s TLS implementation is SNI based, which means some legacy browsers will not be fully supported in their access to pages served over TLS.

HTTPS redirection

Whole-site HTTPS is enabled for all sites by default. This means all front-end and all admin traffic requesting the site over an insecure HTTP protocol will be redirected to HTTPS.

If another mode of HTTPS is required, let VIP know as soon as possible. These modes are available:

  1. HTTPS Admin/Dual Frontend — Redirect all admin area traffic to HTTPS, but allow HTTP or HTTPS traffic for the front end. If you require certain URLs within your site to be HTTPS only (such as a checkout or donations page), then you can apply the appropriate redirections in WordPress theme or plugin code.
  2. HTTPS Admin/HTTP Frontend — Redirect all admin area to HTTPS, and redirect all front end traffic to HTTP.

HTTP Strict Transport Security

The VIP Platform supports and strongly encourages the use of HTTP Strict Transport Security (HSTS) headers. HSTS headers declare to supporting web browsers that a website is accessible only over an HTTPS connection. HSTS headers are an important security measure as they prevent person-in-the-middle attacks, protocol downgrade attacks, and cookie hijacking. When HSTS is activated, it adds the max-age=31536000 (or a lower number if needed) header. The preload and includeSubDomains options are also available.

Be aware that if HSTS headers are configured for a site, and the site is later reverted to responding over HTTP only, any previous visitors will effectively be blocked from accessing the site as their browser will not allow HTTP requests to be made. This is not a bug; this is how HSTS is designed to work.

Create a VIP Support request for HSTS headers to be activated.

Reverse proxies

Environments configured to use a reverse proxy may need to forward the ACME challenge to obtain a TLS certificate.

CAA Records

A Certification Authority Authorization (CAA) record specifies which certificate authorities (CAs) are allowed to issue TLS certificates for a domain. An example use case would be to prevent Let’s Encrypt TLS certificates from being issued for a domain in the VIP Dashboard by adding a CAA record for a specific external certificate authority instead.

Last updated: March 15, 2022