Opportunistic encryption enables browsers to access HTTP links over a TLS connection. This enhances security for sites that have not fully migrated to HTTPS.
How it works
When a browser that supports opportunistic encryption visits a site where this feature is enabled, the Edge Security Acceleration (ESA) node automatically adds an Alt-Svc header to the HTTP response to inform the browser that the site has HTTPS capabilities and supports HTTP/2 over TLS on a specified port (usually 443). This causes the browser to automatically establish an encrypted connection by using Transport Layer Security (TLS) for subsequent requests and verify that the certificate provided by the server is signed by a trusted Certificate Authority (CA). If the certificate verification passes, the browser begins to communicate with the server over the encrypted connection by using the HTTP/2 protocol, which improves the security and efficiency of data transmission. For example:
For a domain name with HTTPS and HTTP/2 enabled, the response includes
Alt-Svc: h2=":443"; ma=86400.For a domain name with HTTPS and HTTP/3 enabled, the response includes
Alt-Svc: h3=":443"; ma=86400.
Enable opportunistic encryption
In the ESA console, choose Websites. In the Website column, click the target site.
In the left-side navigation pane, choose .
In the Opportunistic Encryption section, turn on the switch.
Global vs. rule-based configurations
Global configurations for a site affect all its requests. If you want to enable this feature only for specific requests, you can use a rule. Rules allow you to set conditions that match specific request parameters, precisely controlling which requests the feature applies to. This global setting corresponds to the Opportunistic Encryption rule.