HTTP: The Foundation of the Web
HTTP — HyperText Transfer Protocol — is the protocol that browsers and web servers use to exchange data. When you type a URL and press Enter, your browser sends an HTTP request to the server, which responds with an HTTP response containing the HTML, CSS, JavaScript, and other resources that make up the page.
HTTP is a stateless, text-based protocol. Each request is independent — the server has no inherent memory of previous requests from the same client. This simplicity made HTTP easy to implement and reason about, but it also means that all data travels in plaintext over the network. Anyone positioned between your browser and the server — your ISP, a network router, an attacker on your WiFi — can read every request and response in full.
In the early web, this was considered acceptable. Most content was public information — web pages, news articles, documentation. But as the web evolved into a platform for banking, shopping, healthcare, and private communication, plaintext HTTP became a serious liability. Credentials, session cookies, form data, and personal information all traveled in the clear.
Use our HTTP headers checker to inspect the security headers of any website and see how well it protects users.
How TLS Makes HTTPS Secure
HTTPS is HTTP layered on top of TLS (Transport Layer Security), previously known as SSL. TLS adds three critical security properties to the connection:
- Confidentiality: Data is encrypted using symmetric-key cryptography (typically AES-256-GCM). An eavesdropper sees only ciphertext — meaningless without the encryption key.
- Integrity: Each TLS record includes a cryptographic MAC (Message Authentication Code). Any tampering with the data in transit is detected and the connection is aborted.
- Authentication: The server presents a digital certificate signed by a trusted Certificate Authority (CA). The browser verifies the certificate to confirm it is talking to the real server, not an impersonator — this is what defeats man-in-the-middle attacks.
The TLS handshake establishes the session before any HTTP data flows. The client and server negotiate a cipher suite, the server presents its certificate, keys are derived using ECDH (Elliptic Curve Diffie-Hellman), and then the encrypted data channel opens. Modern TLS 1.3 (the current standard) completes this in a single round trip, minimizing latency.
Perfect Forward Secrecy (PFS) ensures that even if a server's private key is compromised in the future, past sessions cannot be decrypted — because each session uses ephemeral keys that are discarded after use.
Real-World Consequences of Missing HTTPS
The consequences of running a website over HTTP — or visiting one — are concrete and serious:
Credential theft: Login forms on HTTP pages send usernames and passwords in plaintext. Any network observer captures them trivially. On a shared WiFi network, this is trivial to execute with freely available tools.
Session hijacking: After you log in, a session cookie identifies you to the server. On HTTP, this cookie travels in plaintext with every request. An attacker who captures it can impersonate you until the session expires — a technique called sidejacking, popularized by the Firesheep browser extension in 2010.
Content injection: Without integrity protection, intermediaries (ISPs, malicious hotspots) can inject content into HTTP pages — advertisements, cryptocurrency miners, malware. This actually happened at scale with ISPs modifying HTTP traffic before HTTPS became universal.
SEO penalties: Google has marked HTTP sites as "Not Secure" since 2018 and uses HTTPS as a ranking signal. HTTP-only sites rank lower in search results.
Check any website's security posture with our headers tool — look for the Strict-Transport-Security header, which tells browsers to always use HTTPS and reject plaintext connections.
TLS Certificates: How Trust Works
A TLS certificate binds a domain name to a public key and is signed by a Certificate Authority (CA) that browsers trust. When your browser connects to https://example.com, it receives the server's certificate, checks that it is signed by a trusted CA, verifies the domain name matches, and confirms the certificate has not expired or been revoked.
Types of certificates:
- Domain Validated (DV): The CA verifies only that the applicant controls the domain. Issued in minutes, often free (Let's Encrypt). Provides encryption and authentication but makes no claims about the organization's identity.
- Organization Validated (OV): The CA verifies the organization's legal existence in addition to domain control. Takes days. The organization name appears in the certificate details.
- Extended Validation (EV): Rigorous identity verification. Historically showed a green address bar — though browsers have largely removed this UI distinction, EV certs are still used by high-value targets like banks.
- Wildcard: Covers a domain and all its immediate subdomains (
*.example.com). Convenient but means a single compromised private key exposes all subdomains.
Certificate Transparency (CT) logs require all publicly trusted CAs to log every certificate they issue to public, auditable logs. This allows domain owners to discover unauthorized certificates issued for their domain — a defense against rogue CAs.
HTTP Security Headers: Extending HTTPS Protection
HTTPS is a foundation, not a complete solution. A set of HTTP response headers extends the security model further:
- Strict-Transport-Security (HSTS): Tells browsers to connect only via HTTPS for a specified duration (max-age). Prevents SSL stripping attacks where attackers downgrade connections to HTTP. Include
includeSubDomainsandpreloadfor maximum protection. - Content-Security-Policy (CSP): Specifies which sources of scripts, styles, and other resources are allowed, preventing cross-site scripting (XSS) attacks even if an attacker injects HTML.
- X-Frame-Options / frame-ancestors: Prevents your page from being embedded in iframes on other domains, defeating clickjacking attacks.
- X-Content-Type-Options: nosniff: Prevents browsers from MIME-sniffing responses, which can turn innocent content into executable scripts.
- Referrer-Policy: Controls how much of the current URL is sent as a referrer to other sites, limiting information leakage.
Audit any website's security headers instantly with our HTTP headers checker. A well-secured site should have at minimum HSTS, CSP, X-Frame-Options, and X-Content-Type-Options set correctly.
Audit Any Website's Security Headers
Check HTTPS, HSTS, CSP, and other security headers for any domain — free and instant.
Hide My IP Now
Frequently Asked Questions
Can HTTPS be hacked or intercepted?
Properly configured HTTPS with modern TLS 1.3 is extremely difficult to break. The most common attacks are not against the protocol itself but against implementation flaws: expired certificates, weak cipher suites, missing HSTS allowing SSL stripping, or compromised CAs issuing fraudulent certificates. Certificate Transparency logs help detect the latter.
Does HTTPS mean a website is safe to use?
HTTPS means the connection is encrypted and authenticated — it does not mean the website itself is trustworthy or legitimate. Phishing sites routinely use HTTPS with valid certificates. The padlock icon means your connection to the site is secure, not that the site's intentions are trustworthy.
What is TLS 1.3 and should I care?
TLS 1.3 (RFC 8446, 2018) is the current version of the TLS protocol. It removes all deprecated and weak cipher suites, supports only Perfect Forward Secrecy, completes the handshake in one round trip (versus two for TLS 1.2), and supports 0-RTT resumption for returning connections. All modern browsers and servers support it. Use our <a href="/headers">headers tool</a> to see which TLS version a server uses.
Is HTTP/2 or HTTP/3 different from HTTPS?
HTTP/2 and HTTP/3 are newer versions of the HTTP protocol that add performance improvements (multiplexing, header compression, QUIC transport). In practice, both are almost always deployed over TLS, so they are effectively HTTPS. HTTP/3 uses QUIC instead of TCP, eliminating the TCP handshake penalty and improving performance on lossy networks.
