HTTP vs HTTPS
HTTP is the basic protocol for transferring web pages. HTTPS is HTTP over SSL/TLS — data between browser and server is encrypted in transit. Modern browsers show a padlock for HTTPS and often label HTTP as “Not Secure.”
For public sites today, HTTPS is effectively the default: user trust, login forms, payments, SEO, and many browser features expect it. HTTP may still appear for certificate challenges or redirects, but primary content should be served over HTTPS.
A Simple Analogy
HTTP is like mailing an open postcard. HTTPS is like mailing a letter inside a vault only the real endpoints can open. The message can be identical; exposure on the road is not — especially on cafe Wi-Fi or shared networks.
What HTTPS Changes
- Encryption in transit (harder to snoop)
- Integrity (mid-path tampering is easier to detect)
- Server identity via certificates (for example Let’s Encrypt)
- Requirements for some browser APIs in a secure context
- A friendlier search ranking signal than plain HTTP
HTTPS does not automatically make application code immune to SQL injection, XSS, or outdated plugins. App security remains a separate job.
HTTP → HTTPS Migration Checklist
- Install a valid certificate on every hostname you use
- Force 301 redirects from
http://tohttps://via .htaccess or the panel - Update canonical URLs in the CMS and internal links
- Clean mixed content (assets still on
http://) - Refresh sitemaps and watch Search Console
What to Watch For
- Expired certificates trigger scary browser warnings
- Cover both
wwwand apex when both are active - Behind a CDN, align origin SSL mode
- HSTS helps after HTTPS is stable on every path
FAQ
Is plain HTTP still acceptable?
Technically possible, but poor for trust and modern features. Logins and forms should be HTTPS.
Does HTTPS slow the site?
Modern overhead is tiny; security and trust benefits are far larger.
Certificate is live but still Not Secure?
Usually mixed content: images, fonts, or scripts still loading over http.
Do I need paid SSL?
For most sites, Let’s Encrypt is enough. See the SSL/TLS and Let’s Encrypt articles.
Disclaimer: Hosting Wiki articles are prepared for educational and reference purposes. Hosting technology keeps evolving, so some technical details may change over time.