Converting to HTTPS isn't just about servers

When people talk about implementing HTTPS they are primarily talking about implementing it on a server. But HTTPS makes demands on the content of pages too. You can't use a <script> or <link> element to point to an HTTP page from an HTTPS-served page. If you try, the browser will refuse, with a message like this:

Mixed Content: The page at <URL> was loaded over HTTPS, but requested an insecure script <URL>. This request has been blocked; the content must be served over HTTPS.

If you view the JavaScript console for this page you'll see 21 such messages.

Nothing wrong with this design, but if you have to go back in time and retrofit HTTPS on a site that was initially created to be served with HTTP, you very likely will either have to convert a bunch of sites, or move things around. In my own setup this alone would result in a lot of breakage.