Security
HTTPS/TLS
Secure communication over the internet
Intermediate
security tls encryption https
Definition
HTTPS (HTTP Secure) is the secure version of HTTP that uses TLS (Transport Layer Security) to encrypt communication between browser and server. It ensures data confidentiality, integrity, and authenticates the server’s identity.
TLS Handshake
1. Client Hello
- Supported TLS versions
- Cipher suites
- Random bytes
2. Server Hello
- Chosen TLS version
- Chosen cipher suite
- Server certificate
- Random bytes
3. Client verifies certificate
- Checks CA signature
- Validates hostname
- Checks expiration
4. Key exchange
- Client generates pre-master secret
- Encrypts with server's public key
- Both derive session keys
5. Encrypted communication begins
Security Benefits
1. Encryption
// Without HTTPS (HTTP)
GET /api/users
Host: example.com
// Anyone on the network can read this
// With HTTPS
GET /api/users
Host: example.com
// Encrypted - only client and server can decrypt
// TLS 1.3 uses AES-256-GCM or ChaCha20-Poly1305
2. Integrity
// HTTPS prevents man-in-the-middle attacks
// Any modification to data is detected
3. Authentication
// Certificate verifies server identity
// Prevents phishing sites
Enforcing HTTPS
HTTP Strict Transport Security (HSTS)
// Server response header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
// Browser will:
// 1. Always use HTTPS for this domain
// 2. Include subdomains
// 3. Submit to preload list (irreversible)
Redirect HTTP to HTTPS
// Nginx
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
// Express middleware
function requireHTTPS(req, res, next) {
if (req.headers['x-forwarded-proto'] !== 'https') {
return res.redirect(301, 'https://' + req.get('host') + req.url);
}
next();
}
Security Headers
Content Security Policy
// Restrict resources to HTTPS only
Content-Security-Policy: default-src https:; upgrade-insecure-requests;
// Block mixed content
Content-Security-Policy: block-all-mixed-content;
Secure Cookies
// Server sets cookie
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict
// Secure: Only sent over HTTPS
// HttpOnly: Not accessible to JavaScript
// SameSite: CSRF protection
Mixed Content
// HTTPS page loading HTTP resources = Mixed Content
// Blocked by browsers
// Bad
<img src="http://example.com/image.jpg">
// Good
<img src="https://example.com/image.jpg">
// Or use protocol-relative URL (not recommended)
<img src="//example.com/image.jpg">
Certificate Types
Domain Validation (DV)
// Validates domain ownership
// Free with Let's Encrypt
// Suitable for most sites
Organization Validation (OV)
// Validates organization identity
// Shows company name in certificate
// More trust indicators
Extended Validation (EV)
// Rigorous organization verification
// Green bar in browser (deprecated in modern browsers)
// Highest trust level
Certificate Management
Let’s Encrypt (Free)
# Install Certbot
sudo apt-get install certbot
# Obtain certificate
sudo certbot certonly --standalone -d example.com
# Auto-renewal (cron job)
0 12 * * * /usr/bin/certbot renew --quiet
Wildcard Certificates
# Covers all subdomains
*.example.com
# DNS validation required
Testing HTTPS
Online Tools
// SSL Labs Test
https://www.ssllabs.com/ssltest/
// Security Headers
https://securityheaders.com/
// Certificate Transparency
https://crt.sh/
Browser DevTools
// Check certificate in browser
// Chrome: Security tab in DevTools
// Firefox: Lock icon → Connection secure
// Verify TLS version
// Chrome DevTools → Security panel
Best Practices
1. Use TLS 1.2 or higher
// Disable old protocols
// TLS 1.0 and 1.1 are deprecated
// Nginx configuration
ssl_protocols TLSv1.2 TLSv1.3;
2. Strong Cipher Suites
// Prefer forward secrecy
// ECDHE key exchange
// AES-256-GCM or ChaCha20
// Nginx
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
3. Certificate Pinning (Advanced)
// Hardcode expected certificate/public key
// Protects against rogue CAs
// Complex to maintain
Key Takeaway
HTTPS is essential for modern web security. It provides encryption, integrity, and authentication. Use HSTS to enforce HTTPS, set secure cookie flags, avoid mixed content, and keep TLS configurations up to date. Free certificates from Let’s Encrypt make HTTPS accessible to everyone.