Opportunistic encryption enables browsers to access HTTP links over an encrypted TLS connection. This enhances security for websites that have not fully migrated to HTTPS.
How it works
When a browser that supports opportunistic encryption accesses a site where this feature is enabled, Edge Security Acceleration (ESA) point of presence (POPs) automatically add the Alt-Svc header to the HTTP response. This header informs the browser that the site has HTTPS capabilities and supports HTTP/2 over TLS on a specified port, typically port 443. This enables the browser to automatically use a TLS-encrypted connection for subsequent requests and verify that the server certificate is signed by a trusted certificate authority (CA). If the certificate is verified, the browser communicates with the server over the encrypted connection using the HTTP/2 protocol. This improves data transfer security and efficiency. For example:
For a domain name with HTTPS and HTTP/2 enabled,
Alt-Svc: h2=":443"; ma=86400is returned.For a domain name with HTTPS and HTTP/3 enabled,
Alt-Svc: h3=":443"; ma=86400is returned.
·
Enable opportunistic encryption
In the ESA console, choose Websites. In the Website column, click the target site.
In the navigation pane on the left, choose .
In the Opportunistic Encryption section, turn on the switch.
