HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP, the protocol used for communication between web browsers and servers. It wraps standard HTTP inside a TLS (Transport Layer Security) connection, ensuring that data exchanged between client and server is encrypted, authenticated, and protected against tampering during transit.
How It Works
When a browser connects to an HTTPS site, it initiates a TLS handshake before any application data is exchanged. During this handshake, the server presents its digital certificate, which the browser validates against trusted certificate authorities. The browser and server then negotiate a shared encryption key using asymmetric cryptography. Once the handshake completes, all subsequent communication is encrypted with a symmetric cipher.
This process provides three guarantees. Confidentiality means that anyone intercepting the network traffic sees only encrypted data. Authenticity means the browser can verify it is communicating with the legitimate server and not an impersonator. Integrity means the data cannot be modified in transit without detection.
Modern HTTPS relies on TLS 1.2 or TLS 1.3. TLS 1.3 removed support for legacy cipher suites, simplified the handshake to a single round trip, and eliminated several classes of attacks that affected older versions. Properly configured HTTPS should disable TLS 1.0 and 1.1, use strong cipher suites, and implement forward secrecy so that compromising a server's long-term private key does not decrypt past traffic.
Why It Matters
HTTPS is now the baseline expectation for every web application. Browsers mark HTTP sites as "Not Secure," search engines penalize them in rankings, and many modern web features (service workers, geolocation, camera access) require HTTPS contexts.
From a security assessment perspective, testers evaluate not just whether HTTPS is present but how it is configured. Weak cipher suites, expired certificates, missing certificate chain intermediates, support for obsolete protocol versions, and mixed content (loading HTTP resources on an HTTPS page) all weaken the protection HTTPS is meant to provide. Combined with HSTS, properly configured HTTPS ensures that every interaction with the application is protected.
Need your application tested? Get in touch.