HTTPS (HTTP Secure)

Protocols & Transport Security Notes Jan 9, 2026 HTTP
protocol security encryption tls ssl

Definition

HTTPS (HTTP Secure) is HTTP wrapped in a secure TLS (Transport Layer Security) layer. Think of it as HTTP wearing armor - the same protocol, but with encryption protecting every byte of data transmitted between client and server.

When you see that padlock icon in your browser, that’s HTTPS at work. Every request and response is encrypted before transmission, so even if someone intercepts the traffic, they see gibberish instead of readable data. HTTPS also provides authentication - you know you’re talking to the real server, not an imposter.

HTTPS operates on port 443 (vs HTTP’s port 80). During connection setup, client and server perform a TLS handshake to establish encryption keys. After that, all HTTP traffic flows through the encrypted tunnel. Modern browsers require HTTPS for many features (geolocation, service workers, HTTP/2) and flag plain HTTP sites as “Not Secure”.

Example

Banking Website: When you log into your bank at https://bank.com, HTTPS encrypts your password during transmission. Without HTTPS, anyone on the same WiFi could see your credentials.

E-commerce Checkout: Amazon uses HTTPS for all pages. When you enter credit card details, HTTPS ensures they’re encrypted in transit. Credit card companies require HTTPS for PCI compliance.

API Authentication: Modern APIs require HTTPS. When your app sends Authorization: Bearer TOKEN to an API, HTTPS prevents token theft. OAuth 2.0 mandates HTTPS for token endpoints.

Public WiFi Protection: At a coffee shop, HTTPS prevents others on the WiFi from seeing which pages you visit, what data you submit, or stealing session cookies. Without HTTPS, public WiFi is a security nightmare.

Analogy

The Sealed Letter: HTTP is like a postcard - anyone handling it can read the message. HTTPS is like a sealed envelope - only the recipient can read it. Even if the postman is curious, the message stays private.

The Armored Truck: Sending money via HTTP is like tossing cash into an open truck. Anyone could grab it. HTTPS is an armored truck with locked compartments - even if robbers attack, the money stays protected.

The Encrypted Phone Call: HTTP is a speaker phone - everyone nearby can hear. HTTPS is an encrypted phone call - even if someone taps the line, they hear only noise, not your conversation.

Code Example

// HTTPS Request (encrypted in transit)
GET /api/account/balance HTTP/1.1
Host: api.bank.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

// What an eavesdropper sees (gibberish)
16 03 03 00 a5 02 00 00 a1 03 03 5c 8f 9a 2b...

// HTTPS Response (decrypted at client)
HTTP/1.1 200 OK
Content-Type: application/json
Strict-Transport-Security: max-age=31536000

{
  "account": "****1234",
  "balance": 5432.10,
  "currency": "USD"
}

Diagram

sequenceDiagram
participant Client
participant Server
Client->>Server: TLS Handshake (negotiate encryption)
Server->>Client: Server certificate (verify identity)
Client->>Server: Encrypted HTTP Request
Server->>Client: Encrypted HTTP Response
Note over Client,Server: All traffic encrypted with TLS

Security Notes

SECURITY NOTES

CRITICAL: Always use HTTPS. HTTP is deprecated and insecure. All APIs must use HTTPS with modern TLS.

TLS/SSL Configuration:

  • TLS 1.2 minimum: Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
  • TLS 1.3 preferred: Use TLS 1.3 for best security and performance
  • Modern ciphers: Use ECDHE for forward secrecy, AES-GCM or ChaCha20-Poly1305
  • Disable weak ciphers: No NULL, RC4, DES, or MD5-based ciphers

Certificate Management:

  • Valid certificates: Use certificates from trusted CAs
  • Not self-signed: Don’t use self-signed certificates in production
  • Certificate expiration: Monitor and renew before expiration
  • SAN certificates: Use Subject Alt Names for multiple domains
  • Wildcard certificates: Use with caution (matches subdomains)

Certificate Pinning:

  • Pin production certs: Use HPKP or certificate pinning for critical APIs
  • Pinning strategy: Pin leaf cert, intermediate, or root
  • Backup pins: Include backup pins for rotation

HSTS & Security Headers:

  • Strict-Transport-Security: Force HTTPS for all future connections
  • Max-age: Set long-term HSTS max-age (12+ months)
  • Include subdomains: Include subdomains in HSTS policy
  • Preload: Submit domain to HSTS preload list

Common Misconfigurations:

  • Mixed content: HTTPS page loading HTTP resources
  • HTTP redirects: Unencrypted redirect to HTTPS
  • Weak ciphers: Supporting old ciphers for compatibility
  • Certificate chain: Incomplete certificate chain in responses

Implementation:

  • Reject HTTP: Return 400/403 for HTTP requests
  • Redirect: Temporarily redirect HTTP to HTTPS (301/302)
  • Enforce globally: Never allow fallback to HTTP
  • Monitor: Alert on certificate issues

Best Practices

  1. Use HTTPS everywhere, no exceptions
  2. Obtain certificates from trusted Certificate Authorities (Let’s Encrypt is free and automated)
  3. Enable HTTP Strict Transport Security (HSTS) with long max-age
  4. Use modern TLS 1.3 or minimum TLS 1.2
  5. Disable weak ciphers and protocols (TLS 1.0, TLS 1.1, SSLv3)
  6. Implement automatic certificate renewal (certbot, acme.sh)
  7. Test SSL configuration with tools like SSL Labs
  8. Redirect HTTP to HTTPS with 301 status
  9. Use CAA DNS records to restrict certificate issuance
  10. Monitor certificate expiration dates

Common Mistakes

Using HTTP for “non-sensitive” pages (cookies leak!), self-signed certificates in production, expired certificates, mixed HTTP/HTTPS content, not enabling HSTS, allowing weak TLS versions, improper certificate validation, forgetting to renew certificates, not testing HTTPS configuration.

Standards & RFCs

Standards & RFCs
1)RFC 2818- HTTP Over TLS
2)RFC 8446- TLS 1.3
3)RFC 6797- HTTP Strict Transport Security (HSTS)
4)RFC 7469- Public Key Pinning

Related Terms: