For years I've known about the security risks of building and serving APEX application over just plain HTTP. My reasons for not doing so? Cost and Complexity.
Last year those reasons became obsolete by the service provided by Let's Encrypt. Dimitri introduced the use of HTTPS for your APEX apps last spring and I finally got around to updating my website(s) to use HTTPS.
The following are basically my notes for enabling HTTPS in my environment. I have a droplet on DigitalOcean that is running centOS 6.7. This comes with shell access so according to the Let's Encrypt site I can use the Certbot ACME client. I visited the Certbot site and selected the software (Apache) and system (CentOS 6) for my system.
This gave me the commands I needed to install certbot. I logged into my server (as root) and ran the following commands as directed:
chmod a+x certbot-auto
I then executed certbot-auto which presents various dialog screens to step you through the process of obtaining and activating the certificates.
Certbot was downloaded to a directory that was not included in my path, so I moved it.
$ mv certbot-auto /usr/local/sbin/certbot-auto
Also certbot didn't see all the sites I had configured (I forget why) I had to specify the site name(s) when I ran certbot wizard.
$ certbot-auto --apache -d eberapp.com -d www.eberapp.com
Certbot took care of creating the virtual hosts configuration files to redirect HTTP traffic to HTTPS and all the certificate settings.