What Is HTTPS and SSL/TLS? Website Security Explained for AI Coders
When you deploy a site, the browser shows a padlock — or a scary "Not Secure" warning. Here's what HTTPS actually does, why it's non-negotiable for every site you build, and how to get it for free in minutes.
TL;DR
HTTPS encrypts the connection between a user's browser and your server so nobody in between can read or tamper with the data. It's powered by TLS (the technology still called "SSL"). You get it via an SSL certificate — free from Let's Encrypt. On modern hosting platforms (Vercel, Netlify, Railway), HTTPS is automatic. On a VPS, run certbot --nginx. Every production site you build needs HTTPS, period.
Why AI Coders Must Understand HTTPS
When you deploy your first app to a VPS or custom domain, the browser may show "Not Secure" instead of a padlock. Users will bounce immediately. More importantly, without HTTPS, any password, API key, or personal data transmitted between the user and your server can be intercepted and read in plain text by anyone on the same network.
HTTPS is not optional. It's the baseline. And understanding it helps you:
- Fix the "Not Secure" warning when deploying to a VPS
- Understand why your fetch requests to HTTP endpoints fail in modern browsers
- Know when AI's nginx config is missing SSL configuration
- Communicate intelligently about security with clients and collaborators
Real Scenario: Deploying to a VPS
"I just deployed my Node.js app to a VPS with nginx. I can access it at http://mysite.com but browsers show 'Not Secure.' How do I add HTTPS?"
What AI Generated
# Install Certbot (Let's Encrypt client) on Ubuntu/Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
# Get and install a free TLS certificate for your domain
# Certbot automatically modifies your nginx config
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Certbot will ask for your email (for renewal notices) and
# ask to redirect HTTP to HTTPS (say yes)
# Verify auto-renewal works (certificates expire every 90 days)
sudo certbot renew --dry-run
# Check your certificate status
sudo certbot certificatesThat's it. Certbot handles everything: obtains the certificate, configures nginx to use it, and sets up automatic renewal. The padlock appears within seconds.
Understanding How HTTPS Works
The Problem with HTTP
HTTP sends data as plain text across the network. When you log into an HTTP site, your browser sends something like:
POST /login HTTP/1.1
Host: example.com
username=chuck&password=mySecretPassword123Anyone with access to the network path between you and the server — your ISP, a coffee shop router, a corporate firewall — can read this exactly as written. This is called a man-in-the-middle position, and it's trivially easy on public WiFi.
What HTTPS Does Differently
HTTPS wraps the HTTP connection in a TLS layer. Before any data is sent, the browser and server perform a TLS handshake:
- Hello: Browser says "I support TLS 1.3" and sends a random value
- Certificate: Server sends its TLS certificate (proving its identity)
- Verification: Browser checks: Is this certificate signed by a trusted authority? Has it expired? Does it match this domain?
- Key exchange: Both sides create a shared encryption key that only they know
- Encrypted channel: All subsequent data is encrypted with that key
After the handshake, that same login request looks like:
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
▓ Encrypted — unreadable without the session key ▓
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓The interceptor gets gibberish.
SSL vs TLS: The Naming Confusion
SSL (Secure Sockets Layer) was the original protocol, created in the 1990s. It had serious vulnerabilities and was deprecated. TLS (Transport Layer Security) replaced it — TLS 1.2 (2008) and TLS 1.3 (2018) are what every modern site uses.
The industry never updated the vocabulary. Everyone still says "SSL certificate," "SSL/TLS," and "HTTPS uses SSL." They all mean TLS. When you hear SSL, read TLS.
What an SSL Certificate Actually Is
A TLS certificate is a digital document that contains:
- Your domain name (what it's valid for)
- Your server's public key (used in the handshake)
- The Certificate Authority's digital signature (proves it's legitimate)
- Expiration date (Let's Encrypt certificates expire every 90 days)
Certificate Authorities (CAs) are organizations that browsers trust to verify domain ownership. When you run Certbot, Let's Encrypt verifies you control the domain (by checking a file it places on your server), then signs your certificate. Browsers see Let's Encrypt's signature and know the certificate is legitimate.
Getting HTTPS by Platform
Vercel / Netlify (Automatic)
Connect your domain in the dashboard. HTTPS is provisioned automatically — you don't configure anything. This is the easiest path for most vibe coders.
Railway / Render (Automatic)
Same as Vercel/Netlify. HTTPS is provisioned automatically on custom domains.
VPS with nginx (Manual — Certbot)
# Step 1: Point your domain's DNS A record to your VPS IP
# (do this first — Certbot needs to verify domain ownership via HTTP)
# Step 2: Make sure nginx is running with a basic config for your domain
# /etc/nginx/sites-available/yourdomain.com
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain;
}
# Step 3: Install Certbot
sudo apt install certbot python3-certbot-nginx -y
# Step 4: Get the certificate (modifies your nginx config automatically)
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Step 5: Verify auto-renewal
sudo certbot renew --dry-run
# That's it. Certbot adds SSL config and HTTP→HTTPS redirect to nginx automatically.Checking Your Certificate
# Check certificate details for any domain
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | \
openssl x509 -noout -dates -subject
# Or just visit: https://www.ssllabs.com/ssltest/
# It gives your site a grade (A+ is best) and flags issuesWhat AI Gets Wrong About HTTPS
1. Configuring SSL in Code Instead of Infrastructure
AI sometimes generates Node.js code that manually handles TLS certificates using https.createServer(). For VPS deployments, this is wrong — nginx handles TLS termination and forwards plain HTTP to your Node.js app. Your app code should never deal with certificates directly.
2. Confusing HTTPS with Full Security
AI correctly adds HTTPS but may not clarify that it only encrypts data in transit. Your database can still be breached, your app can still have XSS vulnerabilities, and your API keys can still be exposed in client-side code. HTTPS is a required baseline, not a complete security solution.
3. Missing Mixed Content
If your HTTPS page loads resources (images, scripts, stylesheets) over HTTP, browsers block them as "mixed content." AI sometimes generates code that hardcodes http:// URLs. Always use relative URLs (/images/logo.png) or protocol-relative URLs (//cdn.example.com/file.js), never http:// directly in production code.
What to Learn Next
Frequently Asked Questions
What is the difference between HTTP and HTTPS?
HTTP sends data in plain text — anyone intercepting the traffic can read passwords, session tokens, and personal data. HTTPS encrypts the connection using TLS so intercepted data is unreadable. HTTPS also verifies the server's identity via certificates, protecting against impersonation. Every production website must use HTTPS.
What is an SSL certificate?
An SSL certificate (technically a TLS certificate) is a digital file that proves your server's identity and provides the public key used to establish the encrypted connection. It's issued by a Certificate Authority (CA) like Let's Encrypt. The padlock icon in browsers means a valid certificate is present and the connection is encrypted.
How do I get HTTPS for free?
Use Let's Encrypt via Certbot: sudo certbot --nginx -d yourdomain.com. On Vercel, Netlify, Railway, or Render, HTTPS is automatic when you connect a custom domain. You never need to pay for an SSL certificate for a standard website — Let's Encrypt is free, trusted by all browsers, and auto-renews every 90 days.
What does SSL/TLS actually stand for?
SSL = Secure Sockets Layer (original, now deprecated). TLS = Transport Layer Security (current standard — TLS 1.2 and 1.3). The industry still says "SSL" out of habit. Every modern HTTPS connection uses TLS 1.2 or 1.3. When you see "SSL certificate," it means a TLS certificate.
Does HTTPS make my website fully secure?
No. HTTPS encrypts data in transit only — it does not prevent SQL injection, XSS attacks, authentication vulnerabilities, insecure code, or database breaches. HTTPS is a required baseline, not a complete security solution. You still need application security practices, input validation, proper authentication, and secure coding habits.