HTTPS and TLS
Serve every page over HTTPS using TLS 1.2 or 1.3, redirect plain HTTP to HTTPS, and disable obsolete SSL and early TLS versions on every host you control.
What it is
HTTPS is HTTP carried over TLS, a protocol that encrypts and authenticates the connection between the browser and the server. TLS 1.3 (RFC 8446) is the current version; TLS 1.2 remains acceptable. Everything earlier — TLS 1.0, TLS 1.1, and all versions of SSL — is broken and must be disabled.
Why it matters
- Confidentiality. Without TLS, anyone on the path can read form data, cookies, and page content.
- Integrity. Network operators and middleboxes routinely inject ads, trackers, and malware into plain HTTP.
- Authentication. The certificate proves the visitor is talking to the right host, not a captive portal or attacker.
- Modern web features. Service workers, HTTP/2, HTTP/3, geolocation, camera, and most powerful browser APIs require a secure context.
- SEO and trust. Browsers mark HTTP pages as "Not Secure". Search engines prefer HTTPS.
How to implement
Get a certificate from an ACME-supported certificate authority — Let's Encrypt and ZeroSSL are free, automated, and well supported. Most hosting platforms issue and renew certificates automatically.
Configure your server using the Mozilla SSL Configuration Generator. The "Intermediate" profile is the right default for public sites in 2026 — it supports TLS 1.2 and 1.3 and works on every browser still in use.
Redirect every HTTP request to HTTPS with a 301:
HTTP/1.1 301 Moved Permanently
Location: https://example.com/pathServe the same redirect on every hostname you own, including the apex, www, and any legacy subdomains. After HTTPS works, add HSTS so browsers stop trying HTTP at all.
Cipher and protocol checklist:
- TLS 1.3 enabled, TLS 1.2 enabled, everything older disabled.
- OCSP stapling on.
- Forward-secret cipher suites only (ECDHE).
- A complete certificate chain — serve the intermediate, not just the leaf.
Common mistakes
- Mixed content: an HTTPS page that loads a script, image, or iframe over HTTP. Browsers block it.
- Self-signed certificates on production. Use a real CA.
- A valid certificate on
www.example.combut not the apexexample.com, or vice versa. - Leaving TLS 1.0 or 1.1 enabled "for old clients" that no longer exist.
- Forgetting to renew. Automate it.
Verification
- Run the Qualys SSL Labs test and aim for an A or A+.
curl -vI https://example.comshould reportTLS 1.3orTLS 1.2and a valid chain.- Visit
http://example.comand confirm it 301s tohttps://. - Check the browser console for mixed-content warnings.