Skip to main content

HTTP and HTTPS

HTTP and HTTPS are the two topics most often "memorized as concepts" during site building, but they should really be understood within the actual request chain.

You do not need to memorize every TLS detail, but you should at least be clear on these questions:

  • Why does the browser inherently trust https:// sites more
  • What exactly does a certificate verify
  • Why do Cloudflare, Nginx, object storage, and hosting platforms all keep bringing up HTTPS
  • Why "the page opens" and "the chain is secure enough" are not the same thing

What This Page Covers

One-sentence version:

  • HTTP defines "how the browser and server exchange requests and responses"
  • HTTPS adds a TLS layer beneath HTTP, turning the connection into one with identity verification, encryption, and tamper protection

What HTTP Actually Manages

HTTP mainly defines these things:

  • Request methods, such as GET, POST, PUT, DELETE
  • Status codes, such as 200, 301, 404, 500
  • How headers and body are organized
  • How the client and server negotiate caching, compression, content type, authentication, and other behaviors

This means:

  • Visiting an image, an HTML page, or a JSON API all essentially use HTTP
  • Most fields you see in site caching, CDN origin pull, and browser developer tools are still HTTP semantics

What HTTPS Adds

HTTPS can be understood as "HTTP over TLS."

TLS provides three additional things:

  • Confidentiality: even if someone intercepts the traffic, they should not see the content directly
  • Integrity: if someone tampers with the data in transit, both parties should be able to detect it
  • Identity verification: the browser needs to confirm that it is actually connecting to the domain you claim, not a forged site

Core Differences Between HTTP and HTTPS

DimensionHTTPHTTPS
Default Port80443
TransmissionPlaintextEncrypted via TLS
Identity VerificationNoneDomain identity verified through certificates
Tamper ProtectionWeakHas integrity protection
Browser TrustOften flagged as insecureDefault requirement for modern sites
SEO and SharingUsually no advantageBetter aligned with modern search and browser requirements

What a Certificate Actually Is

You can think of a certificate as "an identity document issued by a trusted authority." It states at least:

  • Which domain can use this certificate
  • Who issued it
  • When it expires
  • How the browser should verify the certificate chain

The most common certificate scenarios when building a site are:

  • Hosting platform auto-certificates: automatically issued by static hosting platforms
  • Let's Encrypt certificates: a common free option for origins
  • Cloudflare origin certificates: only used between Cloudflare and your origin
  • Commercial certificates: still used in some enterprise scenarios

What Happens During an HTTPS Visit

The minimal version of the process:

  1. The browser visits https://example.com
  2. The server returns the certificate
  3. The browser verifies whether the certificate is trusted, whether the domain matches, and whether it has expired
  4. Both sides complete the TLS handshake and negotiate encryption parameters
  5. Only then do they start exchanging actual HTTP requests and responses

The Four Most Common Misconceptions About Building a Site

1. "It's just a personal site, I don't need HTTPS"

Wrong. Modern browsers, search engines, third-party login, form submission, Service Worker, and other capabilities almost all treat HTTPS as a prerequisite.

2. "I'm using Cloudflare, so I don't need an origin certificate"

Not necessarily. If Cloudflare sits in front of your site, the connection from Cloudflare to your origin should also be encrypted.

3. "Once the certificate is configured, the site is absolutely secure"

Wrong. HTTPS addresses transport-layer security. It does not fix server vulnerabilities, XSS, SQL injection, or permission design problems.

4. "HTTP is much faster than HTTPS"

This conclusion is outdated. With modern hardware and protocol optimizations, the additional overhead of HTTPS is usually far less than its benefits.

What to Do When Building a Site from Scratch

If this is your first time building a site, you can set the default approach as follows:

  1. Serve the entire site over HTTPS only
  2. Redirect all HTTP to HTTPS with a 301
  3. Use automatic certificate issuance wherever possible instead of manual management
  4. If you use a CDN or proxy layer in front, also encrypt the connection from the origin to the proxy layer
  5. After going live, actually check the certificate status and redirect chains