« Back to All Posts

Protecting users' privacy on Disqus

Posted by BYK (Burak Yiğit Kaya) on February 27, 2017

Here at Disqus, we love our users. We also respect our users and their privacy too. Over the years, we’ve introduced stronger privacy controls such as honoring the Do Not Track setting in browsers, implementing Content Security Policy headers to protect you from any possible XSS attacks, and supporting a solution for loading Disqus over HTTPS. Our Home and moderation interfaces are already HTTPS-only, and now we are proud to announce that our commenting system, Engage, is also HTTPS-only.

Why publishers should update their site to HTTPS

Achieving 100% HTTPS is important not just for protecting users' privacy but also for SEO benefits to publishers. In fact, Google uses HTTPS as a ranking signal and if your site accepts passwords or credit card information, the latest updates for Chrome and Firefox will warn users that the page is not secure. Publishers such as PetaPixel, 9to5Mac, and ScienceNews have already gone fully HTTPS.

Now is the time to update your site to HTTPS if you haven’t already. We recommend checking out Let’s Encrypt, a free, open certificate authority that makes it super easy for sites to enable SSL. Since its launch, the organization has helped add encryption to over 24 million sites.

Making Disqus 100% HTTPS

We’ve been working towards making Disqus fully HTTPS consistently for the past year, slowly migrating various parts of our infrastructure to be HTTPS-only including:

  • login and registration flows
  • API requests
  • Comment iframe

We will soon start issuing redirects for requests made to the HTTP versions of the embed.js file to its HTTPS version to ensure end-to-end integrity and security for everyone. This will be followed by adding strict transport security headers so once a user sees Disqus over HTTPS, their browser will never contact our services over unencrypted protocols again.

That said if you cannot wait, go ahead and change your embedding code to explicitly use HTTPS instead of a protocol-relative URL (like //shortname.disqus.com/embed.js) or worse, an exact HTTP one (like http://shortname.disqus.com/embed.js).