HTTPS For Your Blog

After having setup your free blog and linked it to your custom domain, you may have noticed that it is not secure when browsing it. In fact, it is served only in HTTP instead of HTTPS and modern browsers have adopted a good habit of warning you about it.

If right now you’re wondering if you haven’t break something since before the custom domain, it was available in HTTPS, the answer is no, you didn’t. I’m going to explain what happened but before that, if you are not familiar with how HTTPS works, you might need to read this before going on.

When your blog was directly served from, Github was able to provide you a SSL certificate and a redirection from HTTP to HTTPS because your blog was after all served directly from a subdomain of that they control. Afer we plugged our custom domain, we lost the possibility to use the SSL certificate of because we need a new one linked to our own domain. You may have heard about solutions like Let’s Encrypt that helps you generate your own recognized certificates but you will still face the trouble about where to store some useful files that Let’s Encrypt generated since your blog is not hosted in a private server but in Github. Personnally, even if there is a way to use it, in this case, I think it would be an overkill since there is a free and easy solution offered to us which is Cloudflare.

Cloudflare is like a swiss knife for the Internet, providing a lot of services and solutions like DNS servers, DNS configuration, CDN Edge servers, firewalls, SSL protection and a lot of useful things. Go ahead and create an account if you don’t have one, it’s totally free. What we gonna do then is delegate some of our domain management like DNS configuration, SSL protection and some other things from our Registrar to Cloudflare.

In your Cloudflare dashboard, you can add a domain, so just put your blog domain and Cloudflare will import all DNS records it finds about it (at least the 4 A records and the CNAME record we created in the first part of this tutorial).

cloudflare import

As you can see in this image, Cloudflare may complain about not finding any MX records which deal with emails but that’s not really a problem as long as you don’t want to receive emails there. After validating this screen, Cloudflare will present you 2 nameservers that you need to put in the configuration of your domain in your registrar. This action is what will actually delegate the control to Cloudflare and it will help prove that you really own the domain and are not trying to hijack someone else’s. So open your registrar dashboard, remove all previous DNS records and put the 2 Cloudflare nameservers. After applying those settings, it may take up to 24h depending on your registrar for them to be effective but don’t worry, Cloudflare will be on the watch and will send you an email as soon as it gets control of the domain.

If you receive the mail, congratulations 👏, you just achieved the most difficult part. Now that Cloudflare have control of your domain, go to the Cloudflare dashboard corresponding to your domain and go to the Crypto menu.


As you can see, Cloudflare offers you SSL. Choose the Full option in the select box and wait until the Universal SSL Status is marked as active. If you’re wondering why the Full option and not the Full Strict option, it has to do with Github having some trouble validating the certificate used between him and Cloudflare, more details about the Full Strict option can be found here.

At this point, HTTPS is available for your blog and I recommend that you enforce it by redirecting all HTTP traffic to HTTPS. This can be done by scrolling down and turning on the option Always Use HTTPS


That’s it, you are all set. Now browsers will recognize your blog as legit 😎.


Cloudflare can cache your blog making it faster to load for users since in a blog, things usually change only when there is a new post. Files like styles and scripts may not changed during the entire lifespan of the blog. You can turn it on by going to Page Rules in your dashboard and add a rule to cache everything.


If you ever feel the need to adapt the TTL of the browser cache or purge the Cloudfare cache, explore the Caching menu, you won’t be disappointed.

Mamadou L. NIANG
Mamadou L. NIANG
Cybersecurity Consultant

Senior Java developer mainly around Spring and now, on my way to being a professional pentester.I love learning plenty of stuff and sometimes breaking them.

comments powered by Disqus