HTTP is the original protocol for transferring data across the internet.

When a user visits a website, their browser sends an HTTP request to the site’s server. The server returns the page’s content in an HTTP response.

HTTP is insecure

Over HTTP, a browser sends data in plain text, unencrypted, through the internet to a web server, without authenticating the server’s identity. This opens the user to various methods of attack.

  • An attacker can eavesdrop on communication between a user and the websites they visit. The attacker can construct a profile of the user based on this metadata.
  • Any personal information (login credentials, personal data submitted in forms) shared over HTTP can be stolen by an attacker.
  • An attacker can perform a man-in-the-middle attack and impersonate a website or alter its contents. Some ISPs actively do this to inject ads.

HTTPS is Secure HTTP

HTTPS adds encryption, server identification and data integrity on top of HTTP’s data transfer model.

It does not protect a website from other security vulnerabilities. If a website allows user login, a hacker can attempt to crack user accounts with a brute force attack over HTTP or HTTPS.

And there’s more…

Serving a site over HTTPS comes with extra benefits.

Learn how HTTPS works, and setup HTTPS.