{
    "slug": "https",
    "term": "HTTPS & TLS",
    "category": "security",
    "difficulty": "beginner",
    "short": "HTTP over TLS — encrypts all traffic between browser and server, preventing eavesdropping, man-in-the-middle attacks, and tampering. Required for cookies, modern APIs, and all production web applications.",
    "long": "HTTPS is HTTP transmitted over a TLS (Transport Layer Security) connection. TLS provides: confidentiality (data encrypted in transit — only client and server can read it); integrity (tampering is detected via MAC); authentication (the server's identity is verified via its TLS certificate signed by a trusted Certificate Authority). A TLS certificate contains the domain name, issuer, validity period, and the server's public key. Let's Encrypt provides free, automatically-renewing certificates via the ACME protocol (Certbot, acme.sh). Modern TLS configuration: TLS 1.2+ (1.0 and 1.1 deprecated); strong cipher suites; HSTS header (tells browsers to always use HTTPS); HSTS preloading (browsers ship with a list of HTTPS-only domains). In PHP, all cookies should have the Secure flag (HTTPS-only); sessions should set session.cookie_secure = true; API tokens and credentials must only be transmitted over HTTPS.",
    "aliases": [
        "HTTPS",
        "TLS",
        "SSL",
        "TLS certificate",
        "Let's Encrypt",
        "HSTS",
        "SSL certificate"
    ],
    "tags": [
        "https",
        "tls",
        "ssl",
        "security",
        "certificates",
        "php",
        "encryption"
    ],
    "misconception": "HTTPS only matters for pages that handle passwords or payment. HTTPS protects all traffic — including pages that serve session cookies, personalised content, or API tokens. An unencrypted HTTP page that sets a session cookie leaks that cookie to anyone on the same network. HSTS ensures browsers never make an unencrypted request even if the user types http:// — without it, the first request is vulnerable to downgrade attacks.",
    "why_it_matters": "HTTPS is the baseline security requirement for any web application in 2024. Google marks HTTP sites as 'Not Secure'. Modern browser APIs (Service Workers, Geolocation, Camera, Notifications) require HTTPS. PHP session cookies without the Secure flag are transmitted over HTTP, allowing network eavesdroppers to steal sessions. Let's Encrypt has made free TLS certificates universally available — there is no legitimate reason to run a production PHP application over HTTP.",
    "common_mistakes": [
        "Not setting the Secure flag on cookies — PHP session cookies and authentication cookies must have Secure=true to prevent transmission over HTTP.",
        "Not configuring HSTS — without it, browsers may make the first request over HTTP before being redirected; HSTS eliminates this window.",
        "Using self-signed certificates in production — self-signed certs cause browser warnings and are rejected by API clients; use Let's Encrypt.",
        "Not renewing certificates — Let's Encrypt certificates expire after 90 days; automate renewal with certbot renew in a cron job."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "authentication",
        "php_sessions",
        "csrf",
        "insecure_cookie"
    ],
    "prerequisites": [],
    "refs": [
        "https://letsencrypt.org/",
        "https://hstspreload.org/"
    ],
    "bad_code": "// Cookie without Secure flag — sent over HTTP\nsetcookie('session', $sessionId, [\n    'httponly' => true,\n    // 'secure' => true  -- missing! sent over HTTP too\n]);\n\n// No HSTS — first request vulnerable\n// header('Strict-Transport-Security: ...');  -- missing",
    "good_code": "// All security flags on session cookie\nsetcookie('session', $sessionId, [\n    'expires'  => time() + 3600,\n    'path'     => '/',\n    'secure'   => true,    // HTTPS only\n    'httponly' => true,    // no JS access\n    'samesite' => 'Lax',  // CSRF protection\n]);\n\n// HSTS header — browsers remember HTTPS-only for 1 year\nheader('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');\n\n// Redirect HTTP to HTTPS in nginx:\n// server { listen 80; return 301 https://$host$request_uri; }",
    "quick_fix": "Install Certbot, run certbot --nginx or certbot --apache to get a free certificate. Add HSTS header: Strict-Transport-Security: max-age=31536000; includeSubDomains. Set cookie Secure flag",
    "severity": "critical",
    "effort": "low",
    "created": "2026-03-23",
    "updated": "2026-03-23",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/https",
        "html_url": "https://codeclaritylab.com/glossary/https",
        "json_url": "https://codeclaritylab.com/glossary/https.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[HTTPS & TLS](https://codeclaritylab.com/glossary/https) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/https"
            }
        }
    }
}