HTTPS

安全

定义

安全超文本传输协议(HTTP Secure)。HTTP的加密版本,使用TLS保护浏览器与Web服务器之间传输中的数据。通过浏览器中的锁形图标和https://URL方案来标识。

HTTPS vs. HTTP

The only technical difference between HTTP and HTTPS is that HTTPS wraps the HTTP exchange inside a SSL/TLSSecure Sockets Layer / Transport Layer Security. Cryptographic protocols that provide encrypted, authenticated communication over a network. SSL is deprecated; modern implementations use TLS 1.2 or TLS 1.3. session. The browser first establishes a TLS connection — verifying the server's SSL/TLS CertificateA digital document that binds a cryptographic key pair to an organization or domain, enabling encrypted HTTPS connections. Issued by Certificate Authorities (CAs) like Let's Encrypt, it proves a website's identity to browsers., negotiating cipher suites, and deriving session keys — then sends HTTP requests over the encrypted channel. From the application perspective, HTTP works identically over TLS.

Without HTTPS, every router, ISP, and network observer on the path between client and server can read and modify the traffic. Login credentials, session cookies, and personal information travel in plaintext over unencrypted HTTP.

Modern HTTPS Requirements

Browsers now mark HTTP sites as "Not Secure" and increasingly refuse to load mixed content (HTTP resources on HTTPS pages). HTTP/2 and HTTP/3 are only supported over TLS in practice. Search engines treat HTTPS as a ranking signal. Let's Encrypt has made free, automated certificate issuance the norm, removing the cost barrier to adoption.

HSTS and Preloading

HTTP Strict Transport Security (HSTS) instructs browsers to always use HTTPS for a domain, even if the user types http://. Once a browser sees an HSTS header, it refuses to make unencrypted connections to that domain for the duration of the max-age period. HSTS preloading allows domains to be hardcoded into browser HSTS lists before any connection is ever made, preventing first-visit downgrade attacks.

Use SSL Certificate Checker to verify a site's HTTPS configuration, certificate chain, and HSTS settings. Check HTTP Header Analyzer to confirm security headers are correctly set alongside HTTPS.

相关术语

安全 的更多内容