Good news, everyone! As of this week, we’re offering free, automatic, instant
HTTPS for your custom domains on 5apps Deploy!
There’s no need for any manual steps in the whole process. As soon as you add a
custom domain and point it to our servers, your app will automatically receive
a certificate upon the first time it is visited via that domain.
Certificates are issued by Let’s Encrypt, a free,
automated, and open Certificate Authority (CA). They are renewed automatically
every few weeks by our configuration management systems.
In short: lean back and rest assured that your apps are delivered securely by
an always-up-to-date infrastructure without you having to lift a finger, ever!
Read on for some more details on the benefits of HTTPS (specifically for
client-side web apps), and how to upgrade your existing apps on Deploy.
Let’s encrypt the whole Web
The reasons for going HTTPS all the way by default are many:
The most obvious benefit is security and safety for your users. With a plain
HTTP connection, it’s not possible for their browser or device to validate that
correct server. That leaves a wide-open space for man-in-the-middle attacks and
stealing your user’s data. 1
Privacy & Censorship
Another problem with bad actors in the middle being able to read user
connections in plain text is that it’s easy to log hostnames and URLs being
requested. That makes it possible for ISPs (and in turn authoritarian
governments) to both store detailed profiles of users’ browsing activity, as
well as block specific content by its domain name or URL (without having to
block everything hosted under the same IP address).
Deploy supports HTTP/2 for modern
clients (and SPDY for older ones).
However, browsers only enable HTTP/2 when TLS/HTTPS is used. That means in
order to enjoy the significant performance benefits of multiplexing requests,
your site needs to be delivered via HTTPS.2
Access to Web Platform APIs
With most of the Web community being in consensus about wanting to encrypt the
whole Web using HTTPS for the above-mentioned reasons3,
browser vendors recently began restricting access to certain Web APIs for
sites on insecure origins in their browsers (e.g.
and getUserMedia in
Chrome). Likewise, new APIs will require HTTPS from the start, if they are
sensitive to users’ security or privacy. The best way to ensure the
uninterrupted functionality of apps using these features is to upgrade them to
HTTPS as soon as possible.
Upgrading your existing apps to HTTPS
Existing apps on Deploy without a custom domain (using
yoursubdomain.5apps.com) have been HTTPS by default for over 3
now. If you previously considered using a custom domain, but didn’t want to pay
extra for a certificate, now you can set it up for free.
Apps with a custom domain, for which you subscribed to our previous HTTPS
have been switched to the new, free certificates. The paid add-on will
automatically expire and you will not be charged for renewal.
If you were running an app with a custom domain but no SSL certificate on
Deploy, we have set up all of your apps for HTTPS already. However, in case
you are relying on Web Storage, calls to HTTP APIs, or unencrypted WebSocket
endpoints, we disabled automatic redirects to the HTTPS version of your app.
Please check your email, as we have notified you in case your app is among
As always, we’d love to hear your feedback and answer any questions you might
have! Use the comments below, shoot us a tweet,
drop us an email, or visit our support
Part 2: AppCache, Web Storage, and upgrading to HTTPS origins
We’ll soon publish a follow-up post about how we dealt with updating your
cached offline apps using AppCache from HTTP to HTTPS. It will also include
information on how to deal with migrating Web Storage data between HTTP and
HTTPS origins. Subscribe to this blog or follow us on
Twitter if you’re interested.
- While it is possible to attack HTTPS connections as well, it
requires a lot of effort and usually specific targeting of single users,
whereas attacks on HTTP can be done on a large scale in addition to being easy
to attempt for anyone.
- We saw up to 35% load time decrease over HTTP 1.1 for apps
delivered over SPDY and HTTP/2. Especially mobile clients with high-latency
connections benefit considerably, when they can use a single TCP connection
to load all resources.
- Also see the W3C Secure Contexts spec