HTTPS (Hypertext Transfer Protocol Secure)
HTTPS is the secure version of HTTP that uses TLS (Transport Layer Security) to encrypt data in transit and provide integrity and (typically) server authentication. In practice, it’s what turns http://example.com into https://example.com and enables the padlock indicator in browsers.
HTTPS (Hypertext Transfer Protocol Secure) is HTTP over TLS—the standard way to encrypt web traffic, protect credentials and sessions, and reduce man-in-the-middle (MITM) risk using certificates and the public key infrastructure (PKI). If you administer websites or APIs, HTTPS basics also include redirecting HTTP → HTTPS, monitoring certificate expiry, and enabling HSTS carefully.
How HTTPS works
At a high level, HTTPS combines two things:
- HTTP: the application-layer protocol browsers and APIs use to request and deliver web content.
- TLS: the cryptographic protocol that negotiates secure parameters, authenticates identities (usually the server), and encrypts the session.
What security properties HTTPS provides (and what it doesn’t)
Provides: 1. Confidentiality: Traffic is encrypted, making passive eavesdropping far harder (for example, on public Wi‑Fi). 2. Integrity: Attackers can’t easily modify content in transit without being detected. 3. Authentication (usually server-side): The server proves its identity using an X.509 certificate chained to a trusted CA (Certificate Authority).
Does not automatically provide: - Safety of the website itself (a phishing site can still have valid HTTPS). - End-to-end security beyond the TLS endpoints (for example, if a reverse proxy terminates TLS, the hop to upstream services may be unencrypted unless you secure it). - Correct authorization/business logic (HTTPS doesn’t fix insecure apps).
If you’re threat-modeling where HTTPS fits in broader attack paths, it’s often discussed alongside intrusion phases (recon → delivery → exploitation → etc.). See: what is the cyber kill chain.
The TLS handshake (practitioner view)
When a client (browser/app) connects to an HTTPS URL, this generally happens:
- ClientHello: The client proposes TLS versions, cipher suites, and extensions (notably SNI—Server Name Indication).
- ServerHello + certificate: The server selects parameters and sends its certificate chain.
- Certificate validation: The client verifies: - The certificate is valid for the hostname (SAN/CN match). - It’s not expired. - It chains to a trusted root CA. - Revocation checking may occur (OCSP/CRL), sometimes softened by “soft-fail” behavior depending on client and configuration.
- Key exchange: Modern TLS uses ephemeral key exchange (e.g., ECDHE) to derive session keys.
- Encrypted session: HTTP requests/responses flow inside the encrypted TLS tunnel.
From the user perspective, all they notice is a padlock; from an admin perspective, the key outputs are TLS version, cipher, certificate chain correctness, and whether HTTP is redirected to HTTPS.
Certificates and trust (PKI in one paragraph)
HTTPS relies on the public key infrastructure (PKI). A CA issues a certificate binding a domain name (e.g., www.example.com) to a public key after validation. Browsers/OSes ship with trusted root CA certificates; if the server’s certificate chain leads to one of those roots and the hostname matches, the client trusts it.
HTTP over HTTPS is still HTTP
Once TLS is established, HTTP behaves normally:
GET /index.htmlPOST /login- Headers and cookies (including session cookies)
- HTTP/2 or HTTP/3 can run over TLS as well
That matters because misconfigurations at the HTTP layer still apply (insecure cookies, bad CORS, verbose headers, etc.)—they’re just transported securely.
How to verify HTTPS (quick commands)
Use these to confirm HTTPS behavior and spot common issues.
# Check certificate chain + negotiated TLS parameters
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null
# Pull response headers and confirm redirects to HTTPS
curl -I http://example.com
curl -I https://example.com
# See protocol negotiation (HTTP/2 etc.) and TLS details
curl -v --http2 https://example.com/ 2>&1 | sed -n '1,25p'
To get a quick summary (issuer, validity dates, SANs), you can extract the leaf cert:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates -ext subjectAltName
Common HTTPS problems (and what to fix first)
-
Expired certificates
- Fix: renew immediately; automate renewal; add monitoring/alerts for expiry windows. -
Hostname mismatch (SAN/CN mismatch)
- Fix: re-issue the cert with the correct SANs; verify your edge/load balancer is presenting the intended certificate. -
Incomplete certificate chain
- Fix: install intermediate certificates properly (common with misconfigured servers and some certificate providers). -
HTTP not redirecting to HTTPS
- Fix: 301/308 redirect at the edge; ensure canonical URLs are HTTPS. -
Mixed content (HTTPS page loads HTTP resources)
- Fix: update resource URLs to HTTPS; ensure third-party assets support HTTPS; use CSP reporting to surface stragglers. -
Outdated TLS versions/ciphers
- Fix: disable legacy protocols (e.g., TLS 1.0/1.1); prefer modern cipher suites and forward secrecy; validate compatibility requirements.
When you’re prioritizing remediation work across systems, treat HTTPS and certificate hygiene as part of routine operational hardening. A practical baseline for ongoing maintenance is covered here: patch management best practices a practitioners guide.
Where you’ll encounter HTTPS
1) Browsing and SaaS access (users)
Any time users log into email, HR portals, banking, or SaaS tools, HTTPS protects credentials and session cookies in transit. Practically, you’ll handle:
- Browser warnings for expired, mismatched, or untrusted certificates
- Captive portals and SSL inspection appliances impacting trust
- “Your connection is not private” incidents that are actually DNS hijacks or middleboxes
If you regularly use public Wi‑Fi, HTTPS helps—but you still want to reduce exposure to hostile networks. A reputable VPN can add protection on untrusted networks (and helps with IP privacy), though it doesn’t “replace” HTTPS. If you need one, consider NordVPN (Check NordVPN pricing →) or Surfshark (Try Proton VPN →) for travel and coffee-shop Wi‑Fi scenarios.
2) API-to-API communication (developers and IT)
Internal services and third-party integrations typically use HTTPS for REST/GraphQL endpoints. This is where you’ll see:
- Mutual TLS (mTLS): both client and server present certificates (strong service identity)
- Certificate rotation requirements and breakage from pinning or strict validation
- Time drift issues causing “certificate not yet valid” errors
3) Website publishing and compliance (admins and SMB owners)
If you host a site, HTTPS is baseline and commonly tied to compliance expectations (e.g., for handling credentials or personal data). Typical admin tasks:
- Acquire and renew certificates (automated renewal is strongly preferred)
- Enforce HTTPS-only with redirects and HSTS (after validation/testing)
- Eliminate “mixed content” that downgrades subresources to HTTP
4) Security controls: proxies, WAFs, and TLS inspection (security teams)
In enterprise networks, HTTPS is both the mechanism to protect traffic and a challenge for monitoring. You’ll encounter:
- TLS termination at CDNs/WAFs/load balancers
- TLS inspection (man-in-the-middle by design) using an enterprise root CA
- Policy debates: visibility vs privacy; exceptions for sensitive categories
Enforcing HTTPS and HSTS safely
A common rollout pattern is:
1) Redirect HTTP → HTTPS
2) Add HSTS once you’re confident HTTPS is correct everywhere
Example header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Caution: HSTS can “brick” access to a domain if HTTPS is misconfigured, especially with includeSubDomains or preload. Roll out gradually (start with a smaller max-age, validate, then increase).
Technical notes: log patterns you’ll encounter
On reverse proxies/load balancers, HTTPS termination produces TLS metadata logs. Examples include:
- NGINX:
$ssl_protocol,$ssl_cipher,$host,$server_name,$request - ALB/ELB-style logs: TLS version and cipher appear per request
- Common errors:
SSL_do_handshake() failedno shared ciphertlsv1 alert protocol version
These often indicate legacy clients, disabled protocols, or cipher mismatch.
Related terms
The cryptographic protocol that secures HTTPS connections (replaces older SSL).
Legacy predecessor to TLS. People still say “SSL cert,” but modern deployments use TLS.
The standard format for certificates used in HTTPS; contains subject names, public key, validity, and extensions.
Trusted entity that issues certificates. Trust is anchored in root certificates shipped with clients.
The broader system of certificate issuance, validation, chains, and trust anchors.
Browser-enforced policy to always use HTTPS for a domain after first secure visit (or preload list).
TLS extension allowing one IP to host multiple HTTPS sites by sending the hostname during handshake.
Mechanisms for certificate revocation checking; OCSP stapling can improve performance and reliability.
TLS mode where clients also authenticate with certificates, common for service-to-service security.
A secure HTTPS page that loads resources over HTTP, weakening security and often blocked by modern browsers.