Security Guide
TLS, HTTPS, and Modern Web Security: A Practical Guide
HTTPS is more than a padlock. Build a reliable chain from certificate issuance to encrypted origin traffic, then prove that it works.
TLS is the protocol that creates an authenticated, encrypted connection between two endpoints. HTTPS is HTTP carried over TLS. Together, they protect the confidentiality and integrity of requests and responses and let a browser verify that it is talking to the intended hostname.
That protection is not automatic just because a certificate exists. A site can have HTTPS at the browser and still send traffic unencrypted from an edge provider to its origin. It can also expose an old TLS version, serve mixed content, let certificates expire, or rely on a redirect before HSTS has been learned. A sound implementation treats the entire request path as a system.
What TLS actually protects
The TLS handshake negotiates protocol parameters, authenticates the server with a certificate, and establishes temporary traffic keys. After the handshake, TLS provides three useful properties:
- Authentication: the certificate binds a public key to a hostname that a trusted certificate authority has validated.
- Confidentiality: observers on the network cannot read the application data exchanged after the secure channel is established.
- Integrity: an attacker cannot silently modify protected requests or responses without detection.
TLS does not make an application trustworthy by itself. It does not fix broken authorization, injection vulnerabilities, leaked secrets, insecure dependencies, or an origin that accepts traffic from anywhere. For those concerns, combine transport security with a web application firewall, strong identity controls, and application-level validation.
The current baseline is TLS 1.3, with TLS 1.2 retained only when a documented compatibility requirement justifies it. TLS 1.0 and 1.1 are obsolete. TLS 1.3 removes legacy cipher suites and provides forward secrecy with its normal key exchange, but features such as 0-RTT require care because early data can be replayed.
An implementation sequence
1. Map every hostname and connection
Start with an inventory, not a configuration change. List public sites, APIs, admin panels, asset hosts, webhooks, staging domains, customer-specific hostnames, and origin endpoints. For each one, record who terminates TLS, which certificate covers it, how it renews, and whether the next hop is HTTP or HTTPS.
Include non-browser clients. Mobile apps, payment providers, partner integrations, monitoring systems, and command-line clients may have different compatibility constraints. An undocumented legacy client is not a reason to keep weak settings on every hostname; isolate it and give it a retirement date.
2. Issue and automate certificates
Use certificates whose names match the hostnames clients actually request. Prefer automated issuance and renewal, protect private keys, restrict who can retrieve them, and alert before expiration. Use wildcard certificates deliberately because a compromised wildcard key can affect many hosts.
Test renewal in a non-production path and make sure the complete certificate chain is served. A certificate can be valid on the server and still fail for clients if an intermediate certificate is missing or a hostname is absent from the certificate's subject alternative names.
3. Configure modern TLS
Set TLS 1.3 as the preferred protocol and retain TLS 1.2 only if your measured client population needs it. Disable SSL and TLS 1.0/1.1. Use standard authenticated encryption suites and a provider or server configuration that receives security updates. Do not hand-maintain a cipher list copied from an old blog post; review it against current Mozilla or OWASP guidance and your client requirements.
Be cautious with session resumption and 0-RTT. Resumption can reduce handshake cost, but an application must not treat replayable 0-RTT requests as safe for payments, password changes, order creation, or other non-idempotent actions. Disable early data for those routes or require an application-level replay defense.
4. Redirect HTTP and remove mixed content
Serve a permanent redirect from HTTP to the canonical HTTPS URL for browser-facing sites. Keep the redirect direct: http://example.com/page should go to the final HTTPS URL, not through several hostname and path hops. APIs and sensitive endpoints should not accept cleartext traffic at all when the architecture permits it.
Update absolute URLs in HTML, CSS, JavaScript, images, fonts, canonical tags, sitemaps, and third-party configuration. Mixed content can break functionality or quietly weaken the page's security model. A Content Security Policy with upgrade-insecure-requests can help with legacy references while they are being removed, but it is not a substitute for fixing source URLs.
5. Add HSTS in stages
The Strict-Transport-Security response header tells a browser to use HTTPS for future requests to a host. First verify that every affected hostname supports HTTPS, including subdomains that are rarely visited. Start with a short max-age, monitor, and increase it after testing. Add includeSubDomains only when the entire subdomain tree is ready. Treat preload as a separate commitment: it can make HTTP recovery difficult and requires strict eligibility conditions.
HSTS is sent on HTTPS responses. It cannot protect the very first HTTP request unless the domain is already in a browser preload list, so correct redirects, secure links, and certificate operations still matter.
Encrypt both legs of a CDN request
If Cloudflare, Fastly, or another edge provider terminates visitor TLS, configure and validate the edge-to-origin connection separately. A secure browser-to-edge connection is not end-to-end protection when the edge uses plain HTTP to reach the origin. Prefer origin HTTPS with certificate validation and restrict direct origin access where possible.
6. Complete the web security layer
Mark session cookies Secure, HttpOnly, and with an intentional SameSite policy. Set a Content Security Policy in report-only mode before enforcement, then use violation reports to remove unsafe dependencies. Review Referrer-Policy, Permissions-Policy, clickjacking protections, and cache rules for private responses. Never cache authenticated pages or personalized API responses without an explicit, tested cache policy.
TLS protects the channel; authorization protects the resource. For APIs, add authentication, schema validation, rate limits, and abuse controls rather than assuming HTTPS makes an endpoint safe. Optimi's API protection guide covers that boundary in more detail. For broader identity and access design, see the guide to zero trust for web applications.
How to validate the result
Test from outside your network and from representative client locations. At minimum:
- Request HTTP and confirm one intentional permanent redirect to the canonical HTTPS URL.
- Inspect the HTTPS certificate, hostname coverage, chain, expiration, and negotiated TLS version.
- Fetch representative pages and assets to find mixed content, missing security headers, and accidental cacheability.
- Test every origin route independently. Confirm that an invalid or expired origin certificate fails closed rather than silently downgrading to HTTP.
- Exercise login, checkout, webhooks, API mutations, and file uploads. Confirm that security controls do not break legitimate flows.
- Monitor certificate renewal, handshake failures, HTTP 5xx responses, origin connection errors, and HSTS-related reports.
Useful command-line checks include curl -I http://example.com, curl -I https://example.com, and openssl s_client -connect example.com:443 -servername example.com. Pair them with browser security panels and an external TLS scanner.
Common mistakes
- Treating the browser padlock as proof that the origin is encrypted.
- Enabling HSTS with
includeSubDomainsbefore auditing forgotten subdomains. - Turning on HSTS preload without a tested recovery and ownership process.
- Keeping obsolete protocols for an unmeasured, hypothetical client.
- Using 0-RTT for state-changing requests without replay protection.
- Sending secrets in URLs, where they may appear in history, logs, or referrers.
- Rotating certificates or keys without testing renewal, rollback, and monitoring.
- Assuming a WAF or CDN replaces authentication and least-privilege authorization.
For a managed review of the edge and application boundary, contact Optimi. Compare it with the zero trust guide and technical SEO edge checklist.
There are only two hard things in Computer Science: cache invalidation and naming things.
Make HTTPS part of a complete security design
Talk to our team about TLS, origin encryption, WAF policy, and the controls around your web traffic.
Get in touch