Security · Networking
HTTPS
Also known as: Hypertext Transfer Protocol Secure, HTTP over TLS
HTTP secured with TLS encryption. Protects web traffic from interception and verifies the server's identity via a certificate. Every public-facing site should be HTTPS-only.
HTTP transmits data in plaintext — anyone on the same network can read it. HTTPS wraps HTTP in a TLS session, encrypting all traffic between client and server and authenticating the server with a certificate.
Every public-facing website should be HTTPS-only in 2025. Browsers actively warn users about HTTP sites, search engines penalize them in rankings, and most browsers block mixed content (HTTP resources loaded on HTTPS pages). There's no legitimate reason to run a public site over plain HTTP.
HTTPS operates on port 443. HTTP operates on port 80. Redirecting all HTTP traffic to HTTPS is standard practice — your web server or CDN handles this automatically in most configurations.
For internal applications and corporate intranets, the calculus is more nuanced. HTTPS is still recommended — it prevents credential interception on the local network — but internal certificate management adds operational overhead that some organizations defer.
HSTS (HTTP Strict Transport Security) is a header that tells browsers to only connect to a site over HTTPS — even if a user types http:// directly. Combined with preloading, it prevents downgrade attacks that try to force the connection to unencrypted HTTP.