πŸ“ Tutorials

What is HTTPS? A Simple Explanation for Developers

HTTPS is HTTP with encryption. When you visit a site over HTTPS, everything between your browser and the server is encrypted β€” passwords, credit cards, personal data, even the pages you view. Nobody in between (your ISP, the coffee shop WiFi, hackers) can read or modify the traffic.

The S stands for Secure. The padlock icon in your browser means HTTPS is active.

HTTP vs. HTTPS

HTTP (no encryption):

You β†’ [password: hunter2] β†’ WiFi router β†’ ISP β†’ Server
         ↑ Anyone can read this

HTTPS (encrypted):

You β†’ [encrypted gibberish] β†’ WiFi router β†’ ISP β†’ Server
         ↑ Nobody can read this except the server

How it works (simplified)

  1. Your browser connects to https://example.com
  2. The server sends its SSL certificate (which contains its public key)
  3. Your browser verifies the certificate is valid and trusted
  4. Browser and server agree on an encryption key using a handshake
  5. All data is now encrypted with that key

This happens in milliseconds, before any page content loads.

Why every site needs HTTPS

  • Security β€” protects user data from eavesdropping
  • SEO β€” Google ranks HTTPS sites higher
  • Trust β€” browsers show β€œNot Secure” warnings for HTTP sites
  • Required for modern features β€” service workers, geolocation, camera access all require HTTPS
  • HTTP/2 and HTTP/3 β€” only work over HTTPS in browsers

Setting up HTTPS

The easy way β€” Let’s Encrypt (free):

# Install certbot
sudo apt install certbot python3-certbot-nginx

# Get a certificate (auto-configures Nginx)
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal is set up automatically
# Test it:
sudo certbot renew --dry-run

That’s it. Free SSL certificate, auto-renews every 90 days.

Platforms that handle it for you:

  • Vercel, Netlify, Cloudflare Pages β€” automatic HTTPS
  • Cloudflare (as a proxy) β€” free SSL for any site
  • AWS Certificate Manager β€” free certificates for AWS services

Redirect HTTP to HTTPS

After setting up HTTPS, redirect all HTTP traffic:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

See: Nginx cheat sheet for more config patterns.

Common issues

  • Mixed content β€” your HTTPS page loads resources over HTTP. See: HTTPS mixed content fix
  • Certificate expired β€” Let’s Encrypt certs last 90 days. Make sure auto-renewal is working.
  • SSL certificate problem β€” See: SSL certificate problem fix

SSL vs. TLS

People say β€œSSL” but mean β€œTLS.” SSL is the old, insecure version. TLS is the current standard (TLS 1.2 and 1.3). The terms are used interchangeably in casual conversation, but technically you should use TLS.

You might also like

What are Environment Variables? A Simple Explanation for Developers

Environment variables explained β€” what they are, how to use .env files, and why you should never hardcode secrets in your code.

What is JWT? A Simple Explanation for Developers

JSON Web Tokens explained in plain English β€” how JWTs work, what's inside them, when to use them, and common security pitfalls.

What is CORS? A Simple Explanation for Developers

CORS explained in plain English β€” why browsers block cross-origin requests, how preflight works, and how to fix CORS errors.

What is OAuth? Authentication Explained for Developers

OAuth explained in plain English β€” how 'Login with Google' works, access tokens, refresh tokens, and when to use OAuth vs. other auth methods.