HTTPS (Hypertext Transfer Protocol Secure) is the encrypted version of HTTP — the protocol browsers use to communicate with websites. When a site uses HTTPS, all data between your browser and the server is encrypted, preventing anyone in between from reading or modifying it.
You can tell a site uses HTTPS by the https:// prefix in the URL and the padlock icon in your browser’s address bar. As of 2026, 86.9% of websites use HTTPS and browsers mark all HTTP sites as “Not Secure.”
How HTTPS works
HTTPS adds TLS (Transport Layer Security) encryption on top of regular HTTP. When you visit an HTTPS website, a TLS handshake occurs in milliseconds:
- Browser connects — sends supported TLS versions, cipher suites, and a random number to the server
- Server responds — sends its chosen cipher suite, its SSL/TLS certificate (containing its public key), and a random number
- Browser verifies — checks the certificate hasn’t expired, matches the domain, and is signed by a trusted Certificate Authority
- Session key negotiated — both sides use asymmetric encryption (Diffie-Hellman key exchange) to agree on a shared secret session key
- Encrypted communication begins — all subsequent data is encrypted with the symmetric session key
After the handshake, everything is encrypted: HTML, images, CSS, JavaScript, form submissions, cookies, API responses, and URL paths.
Deep dive: How SSL/TLS works →
HTTP vs HTTPS
| HTTP | HTTPS | |
|---|---|---|
| Encryption | None — data sent in plaintext | All data encrypted with TLS |
| Default port | 80 | 443 |
| URL prefix | http:// | https:// |
| Certificate required | No | Yes (SSL/TLS certificate) |
| Browser indicator | ”Not Secure” warning | Padlock icon |
| Data integrity | No — data can be modified in transit | Yes — tampering is detected |
| Authentication | None — no proof server is genuine | Certificate proves server identity |
| SEO signal | Negative (since 2014) | Positive (Google ranking factor) |
| HTTP/2 support | No (in practice) | Yes — faster page loads |
| Required for | Nothing modern | Service workers, geolocation, camera/mic APIs, payment forms |
The gap is not just security — HTTPS enables modern web features that HTTP cannot use. Browsers restrict service workers, the Geolocation API, the Clipboard API, and other powerful APIs to HTTPS origins only.
Why every website needs HTTPS
Privacy
Without HTTPS, anyone on the same network can see exactly what you’re doing. A coffee shop Wi-Fi operator, a corporate proxy, an ISP — they can read every page you visit, every form you submit, every cookie that passes. HTTPS encrypts all of this.
This isn’t theoretical. ISPs have been documented injecting ads and tracking code into unencrypted HTTP traffic.
Data integrity
HTTPS guarantees the data you receive hasn’t been modified in transit. Without it, a malicious network operator could:
- Inject ads or cryptocurrency miners into your pages
- Replace download links with malware
- Modify prices or terms on your website
- Insert tracking scripts
HTTPS detects any modification — the browser rejects tampered data.
Authentication
The certificate proves you’re connected to the real server, not an imposter. Without HTTPS, a malicious Wi-Fi hotspot (named “Free Airport WiFi”) can silently redirect you to a fake version of any website. With HTTPS, the fake site can’t present a valid certificate for the domain — the browser blocks the connection.
SEO
Google has used HTTPS as a ranking signal since 2014. While it’s a lightweight signal (Google describes it as a “tiebreaker”), it’s one of the easiest signals to implement. More importantly, HTTP pages trigger Chrome’s “Not Secure” warning, which increases bounce rates — and bounce rate indirectly affects rankings.
Performance
A common misconception is that HTTPS is slower. In reality:
- The TLS handshake adds one round trip (TLS 1.3) or two (TLS 1.2) — typically 10-50ms
- HTTP/2 (which requires HTTPS) is significantly faster than HTTP/1.1 through multiplexing, header compression, and server push
- Session resumption eliminates the handshake overhead for returning visitors (0-RTT in TLS 1.3)
- Modern CPUs handle AES encryption in hardware (AES-NI) — the CPU cost is negligible
In practice, HTTPS sites with HTTP/2 load faster than HTTP/1.1 sites.
Browser requirements
Modern browsers restrict powerful APIs to secure contexts (HTTPS only):
- Service Workers — required for PWAs, offline support, push notifications
- Geolocation API — GPS and location access
- Camera/Microphone —
getUserMedia()for video calls - Clipboard API — reading from clipboard
- Payment Request API — native payment UI
- Web Bluetooth, Web USB — hardware access
If your site needs any of these features, HTTPS is mandatory — not optional.
Common misconceptions
“HTTPS is only needed for login pages and payments.” Every page should use HTTPS. Even static blog posts transmit cookies that could be stolen on HTTP. HTTP pages can be modified in transit to inject malicious content. And browsers now warn on all HTTP pages — not just those with forms.
“HTTPS makes my site slower.” TLS 1.3 adds ~10-40ms on the first connection. HTTP/2 (which requires HTTPS) more than compensates with multiplexing and compression. Session resumption makes subsequent visits even faster. On modern hardware, the encryption itself is handled by CPU instructions (AES-NI) and adds no measurable overhead.
“HTTPS certificates are expensive.” Let’s Encrypt issues certificates for free. Over 300 million websites use them — including major companies and government sites. With GetHTTPS, you can get one in 5 minutes without installing any software.
“My hosting provider handles HTTPS, I don’t need to understand it.” Probably true for basic sites. But if you ever see a “Mixed Content” warning, a certificate error, or need to set up a redirect — understanding HTTPS helps you diagnose and fix the issue. And if you switch hosts, you’ll need to know how certificates work.
“The padlock icon means the site is safe.” The padlock means the connection is encrypted — not that the website itself is trustworthy. Over 90% of phishing sites now use HTTPS. The padlock confirms who you’re connected to (via the certificate), not whether they’re honest.
How to enable HTTPS on your website
-
Get a certificate — Use GetHTTPS to get a free Let’s Encrypt certificate in your browser. No installation, no account.
-
Install it on your server — See our guides for Nginx, Apache, cPanel, WordPress, IIS, or Docker.
-
Redirect HTTP to HTTPS — Force all traffic to the secure version. Redirect guide →
-
Fix mixed content — Ensure all resources (images, scripts, CSS) load over HTTPS. Mixed content guide →
-
Set up renewal — Let’s Encrypt certificates last 90 days. Renewal guide →
The future of HTTPS
Certificate validity is shrinking. The CA/Browser Forum voted to reduce maximum certificate validity to 47 days by 2029. This makes automated renewal tools (Certbot, acme.sh) or easy manual tools (GetHTTPS) increasingly important.
HTTP/3 and QUIC. The next generation of HTTP runs over QUIC, which has encryption built into the transport layer — there’s no unencrypted version. HTTPS isn’t just a layer anymore; it’s becoming inseparable from the protocol itself.
Encrypted Client Hello (ECH). TLS 1.3 encrypts most of the handshake, but the SNI (Server Name Indication) — which reveals what domain you’re connecting to — is still visible. ECH encrypts the SNI too, making it impossible for network observers to see which specific site you’re visiting on a shared server.
Frequently asked questions
Is HTTPS really secure?
HTTPS with modern TLS (1.2 or 1.3) is extremely secure against eavesdropping and tampering. No practical attack exists against properly configured TLS 1.3. The remaining risks are at the endpoints (malware on your device, compromised server), not the encrypted connection itself.
Do I need HTTPS for a static website?
Yes. Even without forms or logins, HTTPS prevents content injection (ads, malware), protects visitor privacy (which pages they view), enables HTTP/2 (faster loading), and avoids the “Not Secure” browser warning.
Does HTTPS affect SEO?
Yes. Google confirmed HTTPS as a ranking signal in 2014. It’s a lightweight signal, but combined with the “Not Secure” warning (which increases bounce rates), HTTP sites face a measurable SEO disadvantage.
What’s the difference between SSL and TLS?
SSL (Secure Sockets Layer) was the original encryption protocol, created by Netscape in the 1990s. TLS (Transport Layer Security) replaced it. All SSL versions are deprecated and insecure. When people say “SSL certificate” today, they mean a certificate used with TLS. The terms are used interchangeably in practice.
How much does HTTPS cost?
Zero — if you use Let’s Encrypt. GetHTTPS issues Let’s Encrypt certificates for free, directly in your browser. Paid certificates ($50-500/year) exist but provide the same encryption strength — the difference is in identity validation level, not security.
Does HTTPS protect against all attacks?
No. HTTPS protects data in transit — it prevents eavesdropping, tampering, and server impersonation. It does NOT protect against: malware on the user’s device, vulnerabilities in your application code (XSS, SQL injection), phishing (the padlock doesn’t mean the site is honest), or server-side breaches.