Tips to force website to all SSL/Https without performance degradation

Most of the websites today work both on http (port 80) and https (port 443), but for increased security it is better to always run the website on https. There are numerous benefits running on all https some of the benefits include better privacy, security, improved SEO ranking etc. Here is a detailed video on how to enable "Https Everywhere". Yes I see that SSL has benefits, but as a performance engineer, I always have to make sure that functional changes do not degrade performance. Existing https pages did not have any performance impact but performance on http pages (Pages like Home, Search, Product listing etc) were impacted because of redirection to https and additional overhead on SSL negotiation. Below are some tips/tricks I used to minimize impact to page load time.

Please share if you have used any other technique for improving performance.

Application Changes

1. Make sure the root domain redirects to https version of the website. Eg: If your website is www.test.com, make sure test.com redirects to https://www.test.com, not http://www.test.com. This will save a 301/302 redirect.
2. If your website is hosted on a CDN, ensure that CDN does the global http to https redirect. Redirects are much faster at the edge node than having the origin web farm perform the redirect. Retain URI and query params during redirect.
3. If your website supports device detection at the edge, make sure that the redirect from root domain goes to www or m version of the website based on device type. This cuts down on a 301/302 redirect.
4. Update all link source URL's to https, this will eliminate redirects at the source removing the need to perform a 301/302 redirect.
5. Use protocol-relative URL's on html which eliminate the need for hard-coding http/https in the source URL's. Browser will use the right protocol and stops the annoying mixed mode message.
6. Change all post calls to https, because post calls if 301 redirected lose post body. You can change the post calls to https or perform a 307 redirect to preserve post body.
7. If you have a source control/versioning system make sure to scan all http:// references and replace with https:// equivalent.
8. Update the protocol on canonical tags to https.
9. Make sure that all links on site-directory & sitemap is updated to https. Run the updated sitemap through google web master console.
10. Update robots.txt to allow google bots to crawl https content. Submit robots.txt on google web master tools to make sure google bots are allowed.
11. Make sure that all affiliate feed's are generating https URL's.
12. Update pagination URL's to be https at the source.
13. Update all marketing tags like double click, pixel to https.
14. Set secure attribute to cookies wherever possible.

Network/Security Changes

1. Ensure that the security header Strict-Transport-Security: max-age=3600 is set to a very low value during launch. Worst case if you have to rollback the deployment, this header will not impact users much. Max-age can be increased later to a day, month, year etc based on deployment stability. Once all subdomains are migrated to https please include subdomains and preload the domain. You can add the request header at origin web farm or at CDN.
2. Ensure that the security header Content-Security-Policy: upgrade-insecure-requests is set during launch. This header ensures that the resources that were missed from https upgrade will automatically be upgraded to secure protocol, avoiding the mixed mode content error.
3. Have SHA2 SSL certificates enabled on the browser facing domain. This need to be installed on CDN or wherever SSL is terminated. Most popular websites terminate on BIG IP or at CDN edge, so please ensure that right SHA2 certs are installed. To validate the quality of security certificate, use this link.
4. Disable weaker cipher suites on SSL certs. This ensures that the website is better protected aginst attacks.
5. Enabling Http/2 protocol, will be a big performance boost.
6. Modern CDN's also provide Brotli compression support. Good to enable this if available.
7. If your primary domain has multiple cnames, then cut down cnames records from dns lookup. This will speed up DNS resolution process. Any improvements to DNS resolution will improve website performance across the board.
8. Ensure keep-alive connection is active between browser -> CDN/origin.

Reporting/Monitoring Changes

1. Deploy a reporting policy which can track all the http URL's after website is live. This will help in tracking all http URL's which can be fixed later.
2. Ensure that popular bots are able to crawl your webpages properly. You should see traffic drop on http and increase on https.