HTTPS (HyperText Transfer Protocol Secure) is HTTP carried over an encrypted SSL/TLS connection. The browser and server negotiate a session key during the TLS handshake, after which all request and response bytes are authenticated and encrypted, preventing eavesdropping and tampering by anyone on the network path.
Why it matters
HTTPS is a confirmed Google ranking signal and a baseline expectation in modern browsers, which mark plain HTTP pages as "Not Secure" in the address bar. Powerful platform features — service workers, geolocation, the Clipboard API, HTTP/2, and HTTP/3 — only work over secure origins. Without HTTPS, login forms, payment data, and even read-only browsing can be intercepted on shared networks.
How to check
- Issue a valid certificate from a trusted CA (Let's Encrypt is free and automated) and renew before expiry.
- Redirect every HTTP URL to HTTPS with a
301redirect so links and SEO equity transfer. - Enable HSTS with a long
max-ageonce you are confident HTTPS is stable, and consider preload submission. - Make sure all subresources (images, scripts, iframes) load over HTTPS — mixed content blocks features and triggers warnings.
- Disable old protocols (TLS 1.0/1.1) and weak ciphers; aim for TLS 1.2 minimum, ideally TLS 1.3.
- Test the deployment with SSL Labs or any TLS scanner and watch for
301/200chains in HTTP status codes.