HTTPS: Definition, How It Works, and Where You’ll See It
HTTPS (Hypertext Transfer Protocol Secure) is HTTP delivered over TLS (Transport Layer Security) to provide:
HTTPS is the secure version of HTTP: it uses TLS to encrypt web traffic, authenticate servers with certificates, and protect data integrity in transit. If you manage websites, APIs, reverse proxies, or SaaS access, HTTPS is a daily operational dependency—certificate expiry, weak TLS settings, and mixed content can quickly become outages or security incidents.
How HTTPS works
HTTPS isn’t a different application protocol from HTTP; it’s HTTP running inside a secure TLS session. Before any sensitive HTTP data is exchanged, the client and server establish cryptographic keys and agree on secure parameters.
1) Connection setup: TCP (or QUIC) first
Traditionally, HTTPS runs over TCP port 443:
- Client opens a TCP connection to
example.com:443 - TLS handshake occurs
- HTTP requests/responses flow inside that encrypted channel (HTTP/1.1 or HTTP/2)
Newer deployments may use HTTP/3, which runs over QUIC (UDP) but still uses TLS 1.3 concepts for encryption and authentication.
2) TLS handshake: agreeing on security
During the TLS handshake, the client and server:
- Negotiate a TLS version (ideally TLS 1.2 or TLS 1.3; 1.3 is preferred)
- Choose cipher suites (algorithms for key exchange, encryption, and integrity)
- Validate the server’s certificate (and optionally the client’s)
At a high level:
- ClientHello: client offers supported TLS versions, cipher suites, and extensions like SNI (Server Name Indication) and ALPN (Application-Layer Protocol Negotiation).
- ServerHello: server selects parameters and sends its certificate chain (leaf cert + intermediates).
- Certificate validation: client verifies: - The certificate is issued for the hostname (CN/SAN match) - It chains to a trusted CA root - It is not expired - It hasn’t been revoked (depending on client behavior and revocation method)
- Key agreement: both sides derive symmetric session keys (modern deployments rely on ephemeral key exchange such as ECDHE for forward secrecy).
- Handshake completes: encrypted application data can now be exchanged.
3) Encrypted HTTP: protecting data and sessions
After handshake completion:
- HTTP headers and body are encrypted (including cookies and
Authorizationheaders). - Attackers on the network can’t read the content or modify it without detection.
- Session cookies are far safer from passive interception (though not immune to endpoint compromise, XSS, or misconfiguration).
4) Certificates and trust: why the browser believes the site
Certificates bind a public key to an identity (e.g., a domain name). They’re issued by Certificate Authorities (CAs) under the public Web PKI. Browsers/OSes ship with a trust store of CA roots; if a server presents a valid chain to a trusted root, the site is considered authenticated.
Key operational points:
- DV/OV/EV: Validation levels affect how identity is verified, not the cryptographic strength of TLS itself.
- SNI: Lets one IP host many HTTPS sites by indicating the hostname during the handshake.
- ALPN: Negotiates HTTP/2 (
h2) vs HTTP/1.1.
5) Redirects, HSTS, and “HTTPS everywhere”
Many sites enforce HTTPS via:
- HTTP → HTTPS redirects (301/302 from port 80 to 443)
- HSTS (HTTP Strict Transport Security), an HTTP response header that tells browsers to always use HTTPS for a domain for a defined period, preventing downgrade attacks.
Where you’ll encounter HTTPS
HTTPS shows up almost anywhere web traffic exists—often invisibly until something breaks. Below are common, practitioner-relevant touchpoints.
Browsing and web applications
- Logging into SaaS tools (email, HR systems, finance portals)
- Submitting forms with PII (customer data, addresses, payments)
- Accessing admin portals (routers, firewalls, NAS, virtualization consoles)
Operational “gotchas”:
- Browser warnings like NET::ERR_CERT_DATE_INVALID often indicate certificate expiry.
- “Not secure” labels can appear for mixed content (an HTTPS page loading HTTP assets).
APIs and service-to-service traffic
- Internal APIs behind a gateway or reverse proxy (Nginx, HAProxy, Envoy, cloud load balancers)
- Public APIs where clients expect strong TLS settings
- Webhooks (incoming HTTPS endpoints) where cert trust and TLS versions matter
Security implications:
- API keys and bearer tokens must be protected in transit; HTTPS is non-negotiable.
- Misconfigured TLS (weak ciphers, old versions) can violate compliance and increase risk.
Reverse proxies, load balancers, and TLS termination
Many environments terminate TLS at the edge:
- CDN/WAF terminates TLS and forwards traffic to origin
- Cloud load balancer terminates TLS and sends HTTP to internal services
- Reverse proxy terminates TLS and routes to multiple backends
This is convenient, but it creates decisions you must explicitly manage:
- Is traffic re-encrypted from the edge to the backend (TLS-to-origin), or sent in cleartext on internal networks?
- Are you doing end-to-end TLS for compliance or threat-model reasons?
- Are logs and telemetry capturing SNI, cipher suites, and handshake failures for troubleshooting?
Enterprise controls: inspection and “break-and-inspect”
Some organizations deploy TLS interception (proxying HTTPS) for security monitoring:
- A corporate proxy presents its own certificate to clients (trusted via enterprise root CA)
- It decrypts and inspects traffic, then re-encrypts it to the destination
This can be legitimate for policy enforcement, but it introduces:
- Privacy and compliance considerations
- Compatibility issues with certificate pinning and some applications
- A critical dependency on protecting the enterprise CA private key
Troubleshooting and incident response
You’ll notice HTTPS when:
- A certificate expires and causes outages
- A CA changes intermediate certs and your server chain is incomplete
- Clients fail due to TLS version mismatch (e.g., legacy clients vs TLS 1.2+ enforcement)
- An attacker attempts downgrade or MITM—HSTS and proper validation help prevent this
If your troubleshooting is part of a broader security response, it can help to connect HTTPS failures with detection signals like an indicator of compromise (IOC)—see our glossary entry: What is an IOC?
Technical notes: quick checks you can run
Check the certificate and TLS handshake from a terminal
# Show certificate chain and handshake details (SNI matters)
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null
# Extract key certificate fields (validity, SANs, issuer)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates -ext subjectAltName
Look for:
notBefore/notAfter(expiry)subjectAltNameincludes the hostname you’re using- A complete chain (missing intermediates commonly break older clients)
Verify protocol support and common misconfigurations
# Quick validation of HTTPS response and redirects
curl -I https://example.com
# See negotiated protocol and TLS details
curl -vI https://example.com 2>&1 | egrep -i 'SSL connection|ALPN|TLS|subject:|issuer:'
Red flags:
- Redirect loops between HTTP and HTTPS
- HSTS missing on sensitive sites (where appropriate)
- Negotiation falling back to older protocols/ciphers
Common log patterns you’ll see
Server-side (varies by stack), handshake issues may show up as:
SSL handshake failedunknown cacertificate verify failedbad key share(often client/server TLS 1.3 parameter mismatch)tlsv1 alert protocol version(client too old, server too strict—or vice versa)
Best practices and practical security add-ons
Keep endpoint protection and credentials aligned with HTTPS
HTTPS protects data in transit, but it can’t help if an endpoint is already compromised or credentials are weak/reused. In small business and IT teams, pairing HTTPS hygiene with a strong password manager is an easy win. If you’re standardizing credential storage and passkeys, consider 1Password: Try 1Password →. You can also review our guide: Best password manager for small business (2026)
Use VPNs carefully (they complement HTTPS, not replace it)
A reputable VPN can reduce exposure on hostile networks (e.g., public Wi‑Fi) and add privacy from local network observers, but it does not replace HTTPS—your browser still relies on TLS certificate validation to authenticate sites. If a VPN is part of your travel or remote-work baseline, options like NordVPN Check NordVPN pricing → or Surfshark Try Proton VPN → are commonly used.
Related terms
The underlying web protocol; without TLS, it’s plaintext and easily intercepted/modified on untrusted networks.
The cryptographic protocol that powers HTTPS. “SSL” is the older predecessor; people still say “SSL” colloquially.
Deprecated secure transport protocols (SSLv2/SSLv3). Modern “SSL certificates” are actually TLS certificates.
The standard format for public key certificates used by TLS on the web.
A trusted entity that issues certificates. Public CAs are trusted by default in browsers; private CAs are used internally.
The broader system of certificate issuance, validation, revocation, and trust anchors.
A header that forces browsers to use HTTPS and helps prevent downgrade attacks.
Both client and server authenticate with certificates; common in zero trust and service-to-service environments.
Certificate revocation mechanisms (Online Certificate Status Protocol / Certificate Revocation Lists).
A TLS extension allowing the client to specify the hostname during handshake, enabling multi-site hosting on one IP.
Negotiates application protocol (e.g., HTTP/2) during TLS handshake.