What is HTTPS and Why HTTP Isn't Enough
HTTP sends everything as plain text. On an open WiFi network, anyone between you and the server can read every request and response — login credentials, session cookies, personal data. HTTPS encrypts the connection. Here is what that means in practice.
What HTTP looks like on the wire
# HTTP request — visible to anyone on the network GET /account?session=abc123 HTTP/1.1 Host: bank.example.com Cookie: session=abc123; auth=user@email.com
On a coffee shop WiFi network, every device on that network can see this. Including your session cookie — which an attacker can copy and use to access your account.
What HTTPS does
TLS (Transport Layer Security) encrypts the connection between the browser and server. The data above becomes unreadable to anyone on the network who is not the server. The server proves its identity with a certificate — preventing impersonation.
What HTTPS does not protect against
- Server-side attacks — if the server is compromised, encrypted data is decrypted there
- Malicious JavaScript — XSS attacks run in the browser, after decryption
- Downgrade attacks on first visit — if the user types http://, the first request is unencrypted (HSTS fixes this)
- Certificate authority compromise — if a CA is compromised, fake certificates can be issued
HTTPS is not enough on its own
A site can be HTTPS and still be completely insecure:
- No security headers = XSS attacks can run injected scripts
- No CSP = any external resource can be loaded
- No HSTS = first visit can be downgraded to HTTP
- Mixed content = HTTP resources loaded on HTTPS pages
Getting HTTPS free
Let's Encrypt provides free TLS certificates via Certbot. Most hosting providers (Vercel, Netlify, Cloudflare Pages) handle HTTPS automatically. There is no reason for any public website to be on HTTP in 2026.
# Certbot for Nginx sudo apt install certbot python3-certbot-nginx sudo certbot --nginx -d example.com -d www.example.comCheck your HTTPS headers → HeadersFixer