CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

HTTPS & TLS

Security Beginner
debt(d7/e5/b5/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). No detection_hints.tools are listed. Missing HTTPS, absent HSTS headers, missing Secure cookie flags, and lapsed certificates are not caught by compilers or standard linters — they require manual inspection of server config, HTTP response headers, or runtime network analysis (e.g. browser dev tools, security scanners). Certificate expiry is only noticed when it happens in production.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix describes installing Certbot and running a command, but a full remediation also requires setting HSTS headers in server config, adding Secure flags to PHP session and auth cookies across the codebase, setting up automated renewal cron jobs, and potentially updating hardcoded HTTP URLs. This spans server config, application cookie configuration, and deployment scripts — more than a single-line patch but not a full architectural rework.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Once HTTPS is properly configured, ongoing burden is moderate: certificates must be renewed (automate or pay the cost of expiry), HSTS preload considerations constrain future subdomain decisions, and every new cookie set in PHP must have the Secure flag. It affects multiple work streams (ops, backend, deployment) persistently but doesn't redefine the entire system architecture.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field states it explicitly: developers believe HTTPS only matters for password/payment pages. In reality, any page setting a session cookie over HTTP leaks that cookie to network eavesdroppers. This contradicts intuition that 'public' pages are harmless over HTTP, and the HSTS downgrade attack window is a subtle secondary trap that even security-aware developers often miss. This rises to t7 because the wrong belief is widespread and the consequences are session hijacking.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-08 · reviewed by human

Also Known As

HTTPS TLS SSL TLS certificate Let's Encrypt HSTS SSL certificate

TL;DR

HTTP over TLS — encrypts all traffic between browser and server, preventing eavesdropping, man-in-the-middle attacks, and tampering. Required for cookies, modern APIs, and all production web applications.

Explanation

HTTPS is HTTP transmitted over a TLS (Transport Layer Security) connection. TLS provides: confidentiality (data encrypted in transit — only client and server can read it); integrity (tampering is detected via MAC); authentication (the server's identity is verified via its TLS certificate signed by a trusted Certificate Authority). A TLS certificate contains the domain name, issuer, validity period, and the server's public key. Let's Encrypt provides free, automatically-renewing certificates via the ACME protocol (Certbot, acme.sh). Modern TLS configuration: TLS 1.2+ (1.0 and 1.1 deprecated); strong cipher suites; HSTS header (tells browsers to always use HTTPS); HSTS preloading (browsers ship with a list of HTTPS-only domains). In PHP, all cookies should have the Secure flag (HTTPS-only); sessions should set session.cookie_secure = true; API tokens and credentials must only be transmitted over HTTPS.

Common Misconception

HTTPS only matters for pages that handle passwords or payment. HTTPS protects all traffic — including pages that serve session cookies, personalised content, or API tokens. An unencrypted HTTP page that sets a session cookie leaks that cookie to anyone on the same network. HSTS ensures browsers never make an unencrypted request even if the user types http:// — without it, the first request is vulnerable to downgrade attacks.

Why It Matters

HTTPS is the baseline security requirement for any web application in 2024. Google marks HTTP sites as 'Not Secure'. Modern browser APIs (Service Workers, Geolocation, Camera, Notifications) require HTTPS. PHP session cookies without the Secure flag are transmitted over HTTP, allowing network eavesdroppers to steal sessions. Let's Encrypt has made free TLS certificates universally available — there is no legitimate reason to run a production PHP application over HTTP.

Common Mistakes

  • Not setting the Secure flag on cookies — PHP session cookies and authentication cookies must have Secure=true to prevent transmission over HTTP.
  • Not configuring HSTS — without it, browsers may make the first request over HTTP before being redirected; HSTS eliminates this window.
  • Using self-signed certificates in production — self-signed certs cause browser warnings and are rejected by API clients; use Let's Encrypt.
  • Not renewing certificates — Let's Encrypt certificates expire after 90 days; automate renewal with certbot renew in a cron job.

Code Examples

✗ Vulnerable 
// Cookie without Secure flag — sent over HTTP
setcookie('session', $sessionId, [
    'httponly' => true,
    // 'secure' => true  -- missing! sent over HTTP too
]);

// No HSTS — first request vulnerable
// header('Strict-Transport-Security: ...');  -- missing
✓ Fixed 
// All security flags on session cookie
setcookie('session', $sessionId, [
    'expires'  => time() + 3600,
    'path'     => '/',
    'secure'   => true,    // HTTPS only
    'httponly' => true,    // no JS access
    'samesite' => 'Lax',  // CSRF protection
]);

// HSTS header — browsers remember HTTPS-only for 1 year
header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');

// Redirect HTTP to HTTPS in nginx:
// server { listen 80; return 301 https://$host$request_uri; }
Added 23 Mar 2026
Views 50

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 2 pings F 1 ping S 0 pings S 2 pings M 1 ping T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Perplexity 5 Scrapy 5 ChatGPT 3 Google 3 Ahrefs 3 Meta AI 2 Claude 2 Qwen 1 Bing 1 Majestic 1
Also referenced
Cross-Site Request Forgery (CSRF) 84 Insecure Cookie 50 Authentication 48 PHP Sessions 47
How they use it
crawler 33 crawler_json 3
Related categories
php 13k security 7.8k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Install Certbot, run certbot --nginx or certbot --apache to get a free certificate. Add HSTS header: Strict-Transport-Security: max-age=31536000; includeSubDomains. Set cookie Secure flag
✓ schema.org compliant