Authentication & Encryption

Good Gallery requires that all customers use TLS (Transport Layer Security) via SSL (Secure Socket Layer) certificates. SSL certificates ensure that all visitor traffic is authenticated and encrypted. This level of security is confirmed by the lock icon and a "Secure" browser notification displayed for visitors next to your URL.

Once your website is live, a free SSL certificate is automatically installed on your public Good Gallery website. SSL certificates are renewed automatically.

Our systems check for unsecured domains four times daily at 00:00, 06:00, 12:00, and 18:00 PST (GMT -07:00). If a live website connected to an unsecure domain is discovered, an SSL certificate is automatically installed for that domain.

Note: SSL certificates are automatically renewed every sixty days. This can result in an outage of 1 or 2 minutes while your old certificate is removed and your new certificate is added.

HTTPS

HTTPS (Hyper Text Transfer Protocol Secure) securely transfers information over the Internet. When your SSL certificate is installed, HTTPS is automatically enabled.

This means that all traffic between Good Gallery servers and your visitors will use HTTPS instead of HTTP. For example, instead of using http://www.example.com, visitors will access your website using https://www.example.com.

If a visitor enters http instead of https in their browser, or if a backlink to your website includes http instead of https, that traffic is automatically forwarded to your HTTPS URL.

HTTP/2

All HTTPS-enabled Good Gallery websites are served using the HTTP/2 protocol.

If a visitor's browser supports HTTP/2, visitors will typically experience improved speeds and user experience. Additionally, your website will require less bandwidth and communications will be less error-prone, which improves server performance and the performance of your website.

HSTS

In addition to HTTPS, HSTS (HTTP Strict Transport Security) is also enabled when this protocol is implemented.

HSTS is a mechanism that helps protect your website from man-in-the-middle attacks including protocol downgrade attacks and cookie hijacking. This is accomplished through a response header that browsers receive when accessing your website.

Once received, the browser will prevent any unsecure communications between the browser and the server and will require all data be sent over HTTPS. When a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

HSTS Preload List

The HSTS Preload List is a directory of secure domains included in the source code of most modern browsers including Chrome, Edge, Firefox, Opera, Safari, and IE 11.

If your domain is on the HSTS Preload List, when a visitor accesses your website using one of those browsers, your SSL/TLS security is enforced absolutely. Including your domain on this list will make your website even more secure.

If you are certain that your domain and all subdomains will never be downgraded from HTTPS to HTTP, then you can add your domain to the HSTS Preload List.

You should only add your domain to this list if you are certain you can offer HTTPS over your domain and all current and future subdomains indefinitely.

Note: One consideration of the HSTS Preload List is that you must always use a naked domain (e.g., example.com) instead of a www subdomain (e.g., www.example.com) for your website. If you cannot guarantee this level of domain security, you should not sign up for the HSTS Preload list. Visit the HSTS Preload List Submission website to submit your domain.

Encryption

Encryption keys are used to encode and decode information securely. Your public key is sent to visitors connecting to your site. That public key encrypts data sent to Good Gallery servers. Your private key decrypts the data encrypted by the public key.

Good Gallery uses a 2048-bit RSA key.

Hints & Tips

If you have recently added TLS or SSL to your website, there are onsite and offsite adjustments that you should make to improve your usability and SEO.

Internal Links

Internal links refer to hypertext links in your body content that link to other pages on your website. When you add an SSL certificate, you should review all internal links. If any internal links use absolute links with HTTP, you should change those links to relative links or change the protocol to HTTPS.

• Absolute links include the full URL to a page (e.g., https://www.example.com/about)
• Relative links include only the page path (e.g., /about) and automatically use the current domain and protocol

Inbound Links

Inbound links refer to links from external websites that point to your website. When you add an SSL certificate, external links should be changed to your updated HTTPS URL wherever possible.

Inbound links are commonly found on:

• Online proofing systems
• Business listings
• Social media profiles
• Review websites
• Map listings
• Directories
• Paid advertising campaigns
• External blogs
• Vendor websites
• Third-party website management tools

Note: Changing every inbound link to HTTPS will not be an easy task. However, changing those URLs over time can be one of your long-term optimization goals. Search engines may reward your efforts. In the short term, focus on changing your inbound links from popular social networks and directories.

Other Links

Review all business documents that include website links including email signatures, boilerplate emails, newsletter templates, and proposal templates, and make sure they include your updated HTTPS URL.

301 Redirects

If your 301 Redirects in WordPress use absolute paths that include HTTP, change those redirect URLs to HTTPS.

This should only be necessary for 301 Redirects implemented on other domains you manage or on 301 Redirects you have created using WordPress plugins. Redirects with absolute paths created in Good Gallery settings are automatically migrated to HTTPS.

Mixed Content

When a web page contains both insecure (HTTP) and secure (HTTPS) content, browsers will either display a mixed content warning or block the insecure content without warning.

To prevent mixed content issues, all embedded content, integrated content, external content, and custom scripts must use HTTPS. Specifically, embedded third-party forms must use an HTTPS URL. If the embedded form code is not secure, the form will not appear on your page or a warning may be displayed.

Domain Forwarding

Domain forwarding allows you to redirect visitors from one domain to another domain. Domain forwarding settings are managed with tools provided by your domain registrar -- they are not managed with your Good Gallery settings.

If domain forwarding is configured for one or more of the other domains you own, you should change those forwarding details to use HTTPS instead of HTTP. For more information or assistance with domain forwarding, please contact your domain registrar.

CAA

The Certification Authority Authorization (CAA) is a standard that helps protect websites by only allowing authorized certification authorities to issue SSL certificates for a domain name. Adding a CAA record to your domain is beneficial, but not required.

Follow these steps to add a CAA record to your domain name:

1. Sign in to your domain registrar administrative tools.
2. Select your domain name management tool.
3. Edit the DNS settings for your domain name.
4. Add a new domain record for your domain. Enter these values:
   • Type: CAA
   • Name: @
   • Flags: 0
   • Tag: issue
   • Value: letsencrypt.org
   • TTL: 1 hour

Purchasing Certificates

Good Gallery certificates are free and are included with your hosting fee. Other SSL certificates purchased from third-party providers cannot be used with your Good Gallery website.

Unsupported Browsers

Some older browsers are unable to access secure websites. Those browsers use dated technology that does not meet the security standards required by SSL certificates. The unsupported browsers include:

Desktop Browsers

• Apple Safari before Version 2.1
• Google Chrome before Version 6
• Internet Explorer before Version 7
• Internet Explorer on Windows XP before Service Pack 3
• Mozilla Firefox before Version 2.0

Mobile Browsers

• Android Browsers before Version 3.0
• Blackberry before Version 10.3.3
• iOS Safari before Version 4.0
• Windows Phone Browsers before Version 7

Other Browsers

• Nintendo 3DS
• PS3 Game Console
• PS4 Game Console before Version 5.00 Firmware

Cookie Warning

If you would like to provide a pop-up GDPR cookie warning message on your website, here is sample JavaScript that is compatible with Good Gallery:

<link rel="stylesheet" type="text/css"
  href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.css" />
<script
  src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.js"></script>
<script>
window.addEventListener("GGLoad", function(){
  window.cookieconsent.initialise({
    "palette": {
      "popup": { "background": "#000000" },
      "button": { "background": "#54f75b" }
    },
    "content": {
      "message": "This website uses cookies and tracking technologies. By continuing to use this website, you agree with the terms outlined in our Privacy Policy.",
      "dismiss": "OK",
      "link": "Privacy Policy",
      "href": "/privacy-policy"
    }
  });
});
</script>

Follow these steps to add this JavaScript to your website:

1. Sign in to your Good Gallery administrator account.
2. Hover your cursor over the Site menu.
3. Under the Your Settings menu heading, choose Site Options.
4. Edit the HEAD Info setting.
5. Add the JavaScript to the fields for both Desktop and Mobile.
6. Change the "href": "/privacy-policy" value in the JavaScript to point to the URL where your Privacy Policy is located.
7. Click the Save Changes button.