HTTPS

Explanation

HTTPS adds a TLS (formerly SSL) layer between HTTP and TCP. When you connect to an HTTPS site, a TLS handshake occurs before any HTTP data is exchanged: the server sends its TLS certificate (containing its public key and identity, signed by a Certificate Authority), the client verifies the certificate is valid and signed by a trusted CA, they negotiate a cipher suite and exchange keys to establish a shared symmetric encryption key, and then all subsequent HTTP traffic is encrypted with that key. TLS certificates are issued by Certificate Authorities (CAs) like Let's Encrypt (free), DigiCert, or Sectigo. The browser ships with a list of trusted root CAs. If a certificate is self-signed (not signed by a trusted CA), the browser shows a security warning. Let's Encrypt made free TLS certificates easy to obtain and auto-renew, and is responsible for the near-universal adoption of HTTPS on the modern web. HTTPS provides three things: encryption (data is unreadable to anyone intercepting the connection), authentication (you know you're talking to the real server, not an impersonator), and integrity (data can't be tampered with in transit without detection). HTTP lacks all three. On plain HTTP, coffee-shop Wi-Fi attackers can read your passwords, session cookies, and inject ads or malware into pages. Modern browsers actively penalize non-HTTPS sites: Chrome marks HTTP sites as "Not Secure," certain browser APIs (geolocation, service workers, camera access) are HTTPS-only, and Google's search ranking algorithm gives preference to HTTPS sites.

Code Example

// HTTPS in practice: setting up redirects and HSTS

// Node.js/Express: redirect HTTP to HTTPS
const express = require('express');
const app = express();

// Middleware: force HTTPS in production
app.use((req, res, next) => {
  if (process.env.NODE_ENV === 'production' && !req.secure) {
    return res.redirect(301, 'https://' + req.headers.host + req.url);
  }
  next();
});

// Set HSTS header: tell browsers to always use HTTPS for 1 year
app.use((req, res, next) => {
  res.setHeader(
    'Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload'
  );
  next();
});

// In nginx config (production):
// server {
//   listen 80;
//   return 301 https://$host$request_uri;
// }
// server {
//   listen 443 ssl;
//   ssl_certificate     /etc/letsencrypt/live/domain/fullchain.pem;
//   ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
// }

Why It Matters for Engineers

HTTPS is a non-negotiable baseline for any production web application. Transmitting passwords, session tokens, or any user data over HTTP is a serious security vulnerability. Beyond user safety, HTTPS is required for browser features like service workers, push notifications, and payment APIs — meaning HTTP sites can't use modern web capabilities. Understanding TLS certificates also matters for production operations: certificate expiry silently breaks your HTTPS site. Knowing how Let's Encrypt auto-renewal works, what HSTS does, and why certificate pinning exists makes you a more capable production engineer.