Skip to main content
API Security Tutorial
CHAPTER 03 Intermediate

HTTP and HTTPS Security Basics

Updated: May 13, 2026
15 min read

# CHAPTER 3

HTTP and HTTPS Security Basics

1. Introduction

Imagine shouting your bank password across a crowded room to a teller. Even if the teller is trustworthy, everyone in the room just heard your password. This is exactly how standard HTTP works. In this chapter, we will explore the critical difference between HTTP and HTTPS. We will learn how SSL/TLS encryption works, why certificates are mandatory for modern APIs, and how HTTPS forms the absolute baseline of all API security.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Explain why standard HTTP is inherently insecure for APIs.
  • Understand the mechanics of HTTPS and SSL/TLS encryption.
  • Explain the role of Digital Certificates and Certificate Authorities (CAs).
  • Understand Man-in-the-Middle (MitM) attacks.
  • Configure servers and code to enforce secure communication.

3. Beginner-Friendly Explanation

HTTP is like sending a postcard through the mail. The mail carrier, the sorting facility, and anyone who glances at the postcard can read the message written on the back. If you send an API request with a password over HTTP, it travels across dozens of internet routers in plain text. Any hacker sitting on the same coffee shop Wi-Fi can easily read it.

HTTPS (Hypertext Transfer Protocol Secure) is like putting that postcard inside a locked, indestructible steel briefcase. Only you have the key to lock it, and only the destination server has the key to unlock it. Even if a hacker intercepts the briefcase while it's traveling across the internet, all they see is scrambled, unbreakable math.

4. Real-World Attack Scenarios

  • Man-in-the-Middle (MitM) Attack: You are at a coffee shop. A hacker sets up a fake Wi-Fi network named "StarbucksFreeWiFi". You connect to it. Your mobile app sends an API request over HTTP to log into your bank. The hacker's laptop intercepts the request, reads your password in plain text, and then forwards the request to the bank. You never know you were hacked.
  • Packet Sniffing: An attacker compromises a router at an ISP. They use packet-sniffing software (like Wireshark) to monitor all traffic. If an API uses HTTP, they can extract API keys and JWT tokens instantly.

5. Security Examples (SSL/TLS)

HTTPS relies on TLS (Transport Layer Security), the modern replacement for SSL.
  1. 1. The Handshake: The client (Postman/Browser) connects to the API.
  1. 2. The Certificate: The API sends back its Digital Certificate (issued by a trusted entity like Let's Encrypt), proving it is the real api.bank.com and not a hacker.
  1. 3. The Keys: They mathematically agree on a temporary, unbreakable secret key.
  1. 4. Encrypted Tunnel: All subsequent API requests (headers, URLs, JSON body) are encrypted using that key.

6. Vulnerable vs Secure Code Examples

Enforcing HTTPS is usually done at the server level (Apache/Nginx), but you should also enforce it in your PHP code to be safe.

Vulnerable PHP (Allows HTTP):

php
12345 
<?php
// API logic runs regardless of how the data arrived
$password = $_POST[&#039;password']; 
login_user($password);
?>

Secure PHP (Forces HTTPS):

php
1234567891011 
<?php
// Reject any request that is not sent via HTTPS
if (!isset($_SERVER[&#039;HTTPS']) || $_SERVER['HTTPS'] !== 'on') {
    http_response_code(403);
    echo json_encode(["error" => "Insecure connection. Use HTTPS."]);
    exit;
}

$password = $_POST[&#039;password'];
login_user($password);
?>

7. HTTP Examples (Plaintext vs Ciphertext)

If a hacker intercepts an HTTP request, they see:
http
12345 
POST /api/login HTTP/1.1
Host: api.example.com
Content-Type: application/json

{"email": "admin@site.com", "password": "super_secret_password"}

If a hacker intercepts an HTTPS request, they see:

text
12 
3fa8c9b2e1d5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1...
(Indecipherable encrypted garbage)

8. JSON Examples

Remember: HTTPS encrypts the *entire* HTTP message, including the URL path, the headers, and the JSON body. It does *not* encrypt the destination IP address (the router needs to know where to send it). Therefore, the fact that you are visiting bank.com is public, but the JSON data you send them is strictly private.

9. PHP Examples (Secure Cookies)

If your API uses session cookies for authentication, you must flag them so they are *only* sent over HTTPS.
php
12345 
<?php
// The 5th parameter 'true' makes the cookie "Secure" (HTTPS only)
// The 6th parameter 'true' makes it "HttpOnly" (prevents XSS)
setcookie("api_session", $token, time() + 3600, "/", "api.example.com", true, true);
?>

10. Best Practices

  • HTTPS Everywhere: There is no excuse for using HTTP in modern development. Use free services like Let's Encrypt to get SSL certificates for all your APIs.
  • HSTS (HTTP Strict Transport Security): Configure your web server to send the HSTS header. This tells the browser/client, "Never, ever try to talk to me using HTTP, only use HTTPS."
  • Keep TLS Updated: Ensure your server disables outdated, broken protocols like SSLv3, TLS 1.0, and TLS 1.1. Only allow TLS 1.2 and TLS 1.3.

11. Common Mistakes

  • Mixed Content: Having an HTTPS website, but the frontend JavaScript makes an API call to an http:// endpoint. Modern browsers will block this automatically, breaking your app.
  • Ignoring Certificate Errors: When developing locally or using self-signed certificates, developers often tell Postman or cURL to "Ignore SSL Certificate Verification". If this flag makes it into production code, it completely defeats the purpose of HTTPS, making MitM attacks trivial.

12. Security Checklists

Transport Security Checklist:
  • [ ] Is an SSL/TLS certificate installed and valid?
  • [ ] Does the server automatically redirect all HTTP traffic to HTTPS?
  • [ ] Is the PHP application actively rejecting non-HTTPS requests?
  • [ ] Are all authentication tokens and passwords transmitted ONLY over HTTPS?

13. Mini Exercises

  1. 1. What does the "S" in HTTPS stand for?
  1. 2. In your web browser, navigate to a major website (like google.com) and click the padlock icon next to the URL. View the Certificate to see who issued it.

14. Practice Challenges

Challenge: Using Postman, try to send an API request to http://api.github.com (note the http). Look at the response status and headers. Notice how GitHub responds with a 301 Moved Permanently to aggressively force you onto the https:// version of the API.

15. MCQs with Answers

Question 1

What type of attack involves a hacker secretly intercepting and reading data as it travels between the client and the API?

Question 2

What technology provides the encryption for HTTPS?

Question 3

If a hacker intercepts an HTTPS request, which of the following can they still see?

16. Interview Questions

  • Q: Explain how a Man-in-the-Middle attack works against an API using standard HTTP.
  • Q: What is TLS, and what role does a Digital Certificate play in API security?
  • Q: Explain the purpose of the Secure and HttpOnly flags when setting cookies in PHP.

17. FAQs

Q: Does HTTPS encrypt the data stored in my MySQL database? A: No! HTTPS only encrypts the data *in transit* (while it is flying through the internet wires). Once the data reaches your PHP server, it is decrypted. You must use separate database encryption techniques to protect data *at rest*.

18. Summary

In this chapter, we established the non-negotiable baseline of API security: HTTPS. We learned that sending sensitive data over standard HTTP is equivalent to shouting it in a crowded room, leaving it vulnerable to Man-in-the-Middle attacks. By utilizing TLS encryption and Digital Certificates, HTTPS creates an unbreakable, secure tunnel between the client and the server, ensuring Confidentiality and Integrity of data in transit.

19. Next Chapter Recommendation

Now that our communication tunnel is encrypted, we must verify the identity of the person standing at the other end of the tunnel. Proceed to Chapter 4: Authentication Fundamentals to learn how APIs identify users.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Understanding APIs and Security Risks
Next Chapter Authentication Fundamentals

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5

🎥 Related Videos 1