Secure hypertext transfer protocol (HTTPS) embodies security on the web. When end users make an HTTPS request to your site or application, they expect that their request and the response are encrypted and trusted, end-to-end.

How does HTTPS work?

At its base, HTTPS (also known as Secure Sockets Layer, "SSL" or Transport Layer Security, "TLS") compares a pair of encryption keys—one "public" and one "private"—to allow access. When an HTTPS connection is established, the server sends the requesting client a certificate ("cert") that includes the following:

  • The public key
  • A list of sites on which the cert is valid: Each of these is referred to as a "SAN."
  • An expiration date for the cert
  • A signature from a Certificate Authority: This proves that the key is legitimate for a SAN listed in the cert.

The client checks that the signature matches the cert, and that the cert came from a Certificate Authority it trusts. The client also verifies that the cert is actually for the site it requested, and finally that the cert hasn't expired. If those checks succeed, the client encrypts this information using the public key, and sends it to the server. This is used to establish a shared key for the session. Only a server that holds the corresponding private key can decrypt this information, read the shared key, and ultimately prove its identity to the requesting client.