HTTP / HTTPS

HTTP / HTTPS are the protocols browsers and servers use to communicate over the web - HTTP is the original unencrypted version, HTTPS adds TLS encryption so the data in transit can’t be read or modified by anyone between sender and receiver. As of 2026, HTTPS is the default for every serious website; HTTP-only is a security and SEO liability.

The “S” in HTTPS made the modern internet possible. Without it, every login form, every credit card transaction, every private message would be readable by any network operator between you and the destination.

What HTTPS actually protects

Three things:

Confidentiality. Data sent between browser and server is encrypted. Network observers (your ISP, public WiFi, anyone in between) can see which site you’re connecting to but not what you’re doing on it.

Integrity. The encryption layer prevents data being modified in transit. A page served over HTTPS arrives unchanged; over HTTP, intermediaries can inject ads, track users, or modify content.

Authentication. The TLS certificate verifies the server is actually the domain it claims to be. HTTPS prevents most categories of man-in-the-middle attacks where someone intercepts traffic by pretending to be the destination.

Why every site needs HTTPS in 2026

Four reasons:

Browsers actively warn against HTTP. Chrome, Firefox, Safari all show “Not Secure” warnings on HTTP pages with form inputs. Some are escalating to full-page warnings before allowing access at all.

Google uses HTTPS as a (small) ranking signal. Officially confirmed since 2014. Not the dominant ranking factor, but enough that no serious SEO leaves it on the table.

Many APIs and integrations require HTTPS. Service Workers, Geolocation API, payment processors, OAuth flows - all require HTTPS. HTTP-only sites lose access to large portions of the modern web platform.

Free certificates removed the cost barrier. Let’s Encrypt provides free TLS certificates with automatic renewal. There’s no cost or technical justification for staying on HTTP anymore.

What kills HTTPS implementations

Three patterns:

Mixed content. HTTPS page that loads images, scripts, or stylesheets over HTTP. Browsers warn or block these resources. Common during migrations from HTTP to HTTPS where some assets weren’t updated.

Expired certificates. TLS certificates have expiration dates. A lapsed certificate triggers full-page browser warnings that effectively take the site offline. Auto-renewal solves this; not setting up auto-renewal is the most common cause of preventable HTTPS outages.

Protocol downgrade attacks. Without HSTS (HTTP Strict Transport Security), an attacker can downgrade an HTTPS connection to HTTP and intercept traffic. Configuring HSTS prevents this - should be standard on any site that has gone HTTPS.

An example

A solo affiliate operator’s site had been running on HTTP since 2014. They thought it didn’t matter because they weren’t handling sensitive data - no logins, no checkouts, just affiliate-link content.

2024 audit revealed the cost: bounce rate from mobile traffic was 70% (vs 50% industry average). Investigation showed Chrome on Android was showing a “Not Secure” warning prominently in the URL bar. Mobile users were bouncing on first impression because the warning made the site look untrustworthy.

Migration via Let’s Encrypt: 2 hours including certificate setup, mixed-content fixes, HSTS header. Cost: $0. Bounce rate dropped to 51% within a month. Organic traffic lifted ~8% over six months. HTTP hadn’t been free - the hidden cost had been bouncing visitors and lost ranking.

Related terms

• DNS - the resolution layer HTTP/HTTPS connections start with
• Canonical URL - the SEO directive that needs updating during HTTP-to-HTTPS migrations
• Duplicate Content - the SEO concern that arises if both HTTP and HTTPS versions get indexed
• Google Algorithm - the system that uses HTTPS as a (small) ranking signal
• Domain - the asset HTTPS protects the connection to