Incapsula protects applications and websites from external attacks, such as DDoS, SQL injection, scraping, and content defacing by filtering any malicious and unwanted activity. Staring with a DNS change, our servers inspect traffic between the end users’ device and web servers hosting the sites and applications. The data is encrypted using secure sockets layer (SSL). SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL ensures that the data exchanged between the web server and user remains private and integral in their own session.

How Incapsula Works

Incapsula deploys a network of reverse proxies on its global CDN. These proxies evaluate any web traffic passing through the Incapsula network to inspect, identify, and act on any malicious or unwanted activity. To achieve this, Incapsula provides website owners with a unique name (CNAME) for each site. The site owners update the domain DNS to the hostname (CNAME). For every visitor to the site, the Incapsula data center serves and resolves the hostname, acting as a proxy.

Implementing SSL

Incapsula automatically detects whether the origin supports SSL (HTTPS) traffic when you add a website to our service during on boarding. SSL support is available for Pro, Business and Enterprise accounts.

Incapsula SSL support

To enable Incapsula to support SSL traffic for your website, the preferred option is to have your domain added to one of our shared certificates. This is done at no additional cost to you.

To use our certificate, you’ll need to approve the change by our preferred certificate authority, Globalsign. This can be done either by email or DNS entry. By default, we will request approval for both the naked and the wildcard of the site’s domain. This means the approval process is only needed once per domain. If you’d like to only approve the specific site name, you’ll need to send a support ticket.

Approving your domain to our shared SSL certificate involves these three simple steps:

  1. Choose either DNS or email verification:
    1. DNS:
      1. You will be provided with a TXT entry to be added to your public DNS records.Incapsula SSL support -- updating DNS records
      2. Once added, our automated system will validate this and send the notification to Globalsign to verify.
    2. Email:
      1. Within 24 hours of adding the website you will receive two e-mails from GlobalSign requesting approval to generate an SSL certificate for your domain. One for the naked domain, one for the wildcard. Both need to be approved.
      2. To approve theses request(s) simply reply with “yes” in the message body.
    3. After your approval, Incapsula will await verification from GlobalSign to provision the service to enable support SSL on your domain. This verification process can take up to 24 hours. Be aware that some sites may be subject to additional steps, known as extended validation, if the domain name or industry is more prevalent to phishing or other malicious activity.
  1. You will be notified by email once the process is completed, and you will be able to proceed to the final step of adding your website to the Incapsula service.

Incapsula SSL support

You can also choose to add your website to Incapsula without SSL support. In this event, any user that accesses your site using SSL will receive a warning from his browser and be unable to connect.

If you didn’t implement SSL when you first onboarded Incapsula, we will continue to monitor your SSL support.

When the system detects the need for SSL, new SSL controls will auto-appear in you ‘Settings’ screen and you can follow the process above to enable support.

For more on adding SSL support for your site, please refer to our guide in our documentation center.

Let us know if you have any questions about SSL or onboarding.

Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com