Last year, we activated SSL on all Solo, Basic, and Business accounts.  As we continue to ensure the highest standards of security, we will now automatically enforce SSL on all plans, starting September 1st.  This means all trial and free accounts, as well as paid plans that previously did not take advantage of it, will now have SSL enabled by default. We want to share how this will affect you, your Harvest account, and any Harvest add-ons you may rely on.

For the non-technically inclined, HTTPS (SSL) is a security layer which ensures that the server your browser is communicating with belongs to Harvest (and is not an impostor) and also encrypts your communication with Harvest servers, to prevent eavesdropping.

What does this mean for you?

For the majority of Harvest customers who access Harvest using a modern web browser (Mozilla Firefox, Internet Explorer 7 and above, Chrome, Safari, etc) this change should be totally seamless and you’ll not need to do anything.  Depending on which browser you use, you might notice a new hint in your address bar that your connection to Harvest is now secure.

Do you use one of our Harvest widgets?

  • If you use the Mac widget, you don’t need to do anything differently, it’ll work the same as it does now.
  • If you use the Yahoo widget, you’ll need to check the “SSL” checkbox on the widget options after we make the change September 1st.
  • If you use the Vista gadget, you may actually need to re-install the Vista gadget after we make the change September 1st.

Have further questions?  Feel free to contact us.

Technical Information for Harvest API integrators and authors of Harvest API clients

For Harvest customers who have integrated Harvest into other systems using an API client we need to make sure that your integration continues to function properly. We’ve begun reaching out to authors of popular Harvest API clients already. Many thanks to Zach Moazeni, Brian Glass and Matthew Denton for helping test their Harvest API clients so far. We will update this post with any update news on these clients.

If your Harvest API integration has in the past communicated over HTTP (ie: not HTTPS) with Harvest, from September 1st onwards these requests will be met with an HTTP 302 redirect to the HTTPS location of your Harvest subdomain. Your API client will need to support SSL as well as follow these HTTP 302 redirects, to continue to communicate with Harvest. Please open a support ticket if you need any help with this, or have any questions about supporting SSL.

Technical note: Why are we using an HTTP 302 redirect and not an HTTP 301 or an HTTP 303? We suspect there may be API clients which will follow a 302 and may not follow a 301 or 303. An API client which will obey any redirect on the 3xx class is a good idea. Please contact us for more details on this issue.

Developers, have any further any questions? Please visit the Harvest forum.