CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

HTTPS & TLS

security Beginner

Also Known As

HTTPS TLS SSL TLS certificate Let's Encrypt HSTS SSL certificate

TL;DR

HTTP over TLS — encrypts all traffic between browser and server, preventing eavesdropping, man-in-the-middle attacks, and tampering. Required for cookies, modern APIs, and all production web applications.

Explanation

HTTPS is HTTP transmitted over a TLS (Transport Layer Security) connection. TLS provides: confidentiality (data encrypted in transit — only client and server can read it); integrity (tampering is detected via MAC); authentication (the server's identity is verified via its TLS certificate signed by a trusted Certificate Authority). A TLS certificate contains the domain name, issuer, validity period, and the server's public key. Let's Encrypt provides free, automatically-renewing certificates via the ACME protocol (Certbot, acme.sh). Modern TLS configuration: TLS 1.2+ (1.0 and 1.1 deprecated); strong cipher suites; HSTS header (tells browsers to always use HTTPS); HSTS preloading (browsers ship with a list of HTTPS-only domains). In PHP, all cookies should have the Secure flag (HTTPS-only); sessions should set session.cookie_secure = true; API tokens and credentials must only be transmitted over HTTPS.

Common Misconception

HTTPS only matters for pages that handle passwords or payment. HTTPS protects all traffic — including pages that serve session cookies, personalised content, or API tokens. An unencrypted HTTP page that sets a session cookie leaks that cookie to anyone on the same network. HSTS ensures browsers never make an unencrypted request even if the user types http:// — without it, the first request is vulnerable to downgrade attacks.

Why It Matters

HTTPS is the baseline security requirement for any web application in 2024. Google marks HTTP sites as 'Not Secure'. Modern browser APIs (Service Workers, Geolocation, Camera, Notifications) require HTTPS. PHP session cookies without the Secure flag are transmitted over HTTP, allowing network eavesdroppers to steal sessions. Let's Encrypt has made free TLS certificates universally available — there is no legitimate reason to run a production PHP application over HTTP.

Common Mistakes

  • Not setting the Secure flag on cookies — PHP session cookies and authentication cookies must have Secure=true to prevent transmission over HTTP.
  • Not configuring HSTS — without it, browsers may make the first request over HTTP before being redirected; HSTS eliminates this window.
  • Using self-signed certificates in production — self-signed certs cause browser warnings and are rejected by API clients; use Let's Encrypt.
  • Not renewing certificates — Let's Encrypt certificates expire after 90 days; automate renewal with certbot renew in a cron job.

Code Examples

✗ Vulnerable 
// Cookie without Secure flag — sent over HTTP
setcookie('session', $sessionId, [
    'httponly' => true,
    // 'secure' => true  -- missing! sent over HTTP too
]);

// No HSTS — first request vulnerable
// header('Strict-Transport-Security: ...');  -- missing
✓ Fixed 
// All security flags on session cookie
setcookie('session', $sessionId, [
    'expires'  => time() + 3600,
    'path'     => '/',
    'secure'   => true,    // HTTPS only
    'httponly' => true,    // no JS access
    'samesite' => 'Lax',  // CSRF protection
]);

// HSTS header — browsers remember HTTPS-only for 1 year
header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');

// Redirect HTTP to HTTPS in nginx:
// server { listen 80; return 301 https://$host$request_uri; }
Added 23 Mar 2026
Views 26

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 4 Google 2 ChatGPT 1 Meta AI 1 Ahrefs 1 Qwen 1
Also referenced
Cross-Site Request Forgery (CSRF) 28 Authentication 24 Insecure Cookie 21 PHP Sessions 20
How they use it
crawler 18
Related categories
php 6.3k security 4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Install Certbot, run certbot --nginx or certbot --apache to get a free certificate. Add HSTS header: Strict-Transport-Security: max-age=31536000; includeSubDomains. Set cookie Secure flag
✓ schema.org compliant