blog thumnail

HTTP vs HTTPS: Pros and Cons

SSLHTTPHTTPSTLS

Tanveer Sayem / 2022-10-18

5 min read

HTTP vs HTTPS is a common interview question. It is also very important to know if you own your website and if you want the best SEO and Security for your site.

What is HTTP?

HTTP stands for Hypertext Transfer Protocol. It is the protocol that enables communication between systems, transferring information and data over a network. HTTP is the foundation of the World Wide Web and is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack. A typical flow over the HTTP involves a client machine making a request to a server, which then sends a response message.

What is an HTTP request?

An HTTP request is initiated by the client usually the Web browser. A complete document is reconstructed from the different sub-documents fetched, for instance, text, layout, description, images, videos, scripts, and more.
thumbnail

What’s in an HTTP request?

Each HTTP request made across the Internet carries with it a series of encoded data that carries different types of information. A typical HTTP request contains:
1. HTTP version type : 2. a URL 3. an HTTP method 4. HTTP request headers 5. Optional HTTP body

What’s an HTTP method?

An HTTP method indicates the action that the HTTP request expects from the queried server. Common HTTP methods are GET, POST, PUT and DELETE.
A Get request expects information back in return for example an HTML site, whereas the POST request means the user is trying to submit information to the server for example submitting the username and password to get authenticated.
If you click on my affiliates links and shop(anything, not just books), I am going to receive a tiny commission. AND… Most of the time, you will receive an offer. Win/Win! The products that I have are the ones I believe in.
amazon
amazon
amazon

What are HTTP request headers?

HTTP headers are key-value pairs that are included in every HTTP request and response. These headers communicate vital information, such as what browser the client is using, and what data is being requested. 
Request Headers
:authority:www.google.com
:method:GET
:path:/
:scheme:https
accept: */*
accept-encoding:gzip, deflate, br
accept-language:en-US,en;q=0.9,la;q=0.8,ru;q=0.7

What's in an HTTP request body?

The body will consist of the information that is being sent out to the servers for example username and password in a sign-in flow.

What's in an HTTP response?

An HTTP response is what the client receives from the server. A typical HTTP response contains:
  1. an HTTP status code
  2. HTTP response headers
  3. optional HTTP body

What's an HTTP status code?

HTTP status codes are 3-digit codes most often used to indicate whether an HTTP request has been successfully completed. Status codes are broken into 5 blocks: xxx represents numbers from 00 to 99
  1. 1xxx Informational
  2. 2xxx Success
  3. 3xxx Redirection
  4. 4xxx Client Error
  5. 5xxx Server Error
The most common status codes are 200 OK indicating requests was successfully completed, another one is 404 NOT FOUND code when there is a typo in the URL.

What are HTTP response headers?

Much like the HTTP request headers, the response also sets some valuable headers to convey important information.
Response Headers
cache-control:public, max-age=0
content-encoding: br
content-type:application/json; charset=utf-8
date:Thu, 20 Oct 2022 02:19:22 GMT
status:200
server:Vercel
strict-transport-security:max-age=86400
x-frame-options: SAMEORIGIN

What's in an HTTP response body?

HTTP responses to GET requests generally have a body that contains the information requested, in the web server's case HTML data which a web browser will convert into a web page.

Can DDoS attacks be launched over HTTP?

In the context of DoS or DDoS attacks, HTTP requests in large quantities can be used to mount an attack on a target device, and are considered part of application layer attacks or layer 7 attacks.

Conclusion

HTTP is an extensible protocol that is easy to use. The client-server structure, combined with the ability to add headers, allows HTTP to advance along with the extended capabilities of the Web.
Though HTTP/2 adds some complexity by embedding HTTP messages in frames to improve performance, the basic structure of messages has stayed the same since HTTP/1.0.

What is HTTPS?

HTTPS is HTTP with encryption and verification. The only difference between the two protocols is that HTTPS usses TLS(SSL) to encrypt normal HTTP requests and responses and to digitally sign those requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has http:// in its URL, while a website that uses HTTPS has https://
thumbnail
The use of an SSL certificate is the key difference between HTTP and HTTPS. S stands for secure in HTTPS, it encrypts the transport of data so it's not visible to hackers or others monitoring the connection. This ensures data integrity and prevents the information from being modified, corrupted, or stolen during transmission. The browser also indicates if a website is secure or not.
thumbnail
For SEO purposes Google also recommends a website have HTTPS rather than HTTP. When it comes to building trust and credibility with your audience, HTTPS is the better choice.

How does TLS/SSl work on HTTPS

TLS uses a technology called public key cryptography: there are two keys, a public key, and a private key, and the public key is shared with the client devices via the server's SSL certificate. When a client opens a connection with a server, the two devices use the public and private keys to agree on new keys, called session keys, to encrypt further communications between them.
Just like an ID card confirms a person's identity, a private key confirms the server's identity. When a client opens a channel with an origin server (e.g. when a user navigates to a website), possession of the private key that matches the public key in a website's SSL certificate proves that the server is actually the legitimate host of the website. This prevents or helps block a number of attacks that are possible when there is no authentication, such as:
In addition, the SSL certificate is digitally signed by the certificate authority that issued it. This provides confirmation that the server is who it claims to be.
Resources:
If you click on my affiliates links and shop(anything, not just books), I am going to receive a tiny commission. AND… Most of the time, you will receive an offer. Win/Win! The products that I have are the ones I believe in.
amazon
amazon
amazon
amazon

Subscribe to the newsletter

Get emails from me about web development, tech, and early access to new articles.

  • Home
  • About
  • Newsletter
  • Twitter
  • Github
  • YouTube
  • Setup
  • Guestbook
  • Snippets