Why This Matters
When you type a password into a login form or enter your credit card on a checkout page, that data travels across networks controlled by strangers — routers at your ISP, switches at data centers, WiFi access points at coffee shops. Without encryption, anyone along that path could read your data in plain text.
TLS (Transport Layer Security) is the protocol that encrypts HTTP traffic, turning it into HTTPS. The padlock icon in your browser means TLS is active. A certificate proves the server is who it claims to be. Understanding TLS is essential for building secure web applications.
Define Terms
Visual Model
The full process at a glance. Click Start tour to walk through each step.
The TLS handshake establishes an encrypted channel: hello, certificate, verify, key exchange, then secure data transfer.
Code Example
// HTTPS requests in Node.js — TLS is handled automatically
const https = require("https");
// fetch() uses HTTPS when the URL starts with https://
async function secureRequest() {
const response = await fetch("https://api.example.com/data");
// TLS handshake happens behind the scenes
// Data is encrypted in transit
const data = await response.json();
return data;
}
// Checking if a connection is secure
function isSecure(url) {
return url.startsWith("https://");
}
console.log(isSecure("https://example.com")); // true
console.log(isSecure("http://example.com")); // false
// Common security headers you should set:
// Strict-Transport-Security: max-age=31536000
// Forces browsers to always use HTTPS
// Content-Security-Policy: default-src https:
// Blocks loading resources over HTTP (mixed content)
// TLS certificate info (Node.js)
const tls = require("tls");
const socket = tls.connect(443, "example.com", () => {
const cert = socket.getPeerCertificate();
console.log("Issuer:", cert.issuer.O);
console.log("Valid to:", cert.valid_to);
console.log("Subject:", cert.subject.CN);
socket.end();
});Interactive Experiment
Try these exercises:
- Click the padlock icon in your browser's address bar on any HTTPS site. Inspect the certificate. Who is the issuer? When does it expire?
- Visit
http://example.com(without thes). Does your browser redirect you to HTTPS automatically? This is HSTS (HTTP Strict Transport Security) in action. - In your browser's dev tools, look at the Security tab. It shows the TLS version, cipher suite, and certificate chain.
- Try to imagine: what would a network eavesdropper see if there were no TLS? Every password, cookie, and API key would be in plain text.
Quick Quiz
Coding Challenge
Write a function called `findSecurityIssues` that takes an array of URL strings and returns an array of objects describing security issues. For each URL that uses 'http://' (not 'https://'), return an object with `url` and `issue: 'Not using HTTPS'`. URLs using 'https://' are secure — do not include them.
Real-World Usage
TLS is a non-negotiable requirement for modern web applications:
- HTTPS everywhere: Google Chrome marks HTTP sites as "Not Secure." Search engines rank HTTPS sites higher. Let's Encrypt provides free certificates, eliminating cost as an excuse.
- API security: Every API call carrying tokens, credentials, or user data must use HTTPS. OAuth 2.0 requires HTTPS for all redirect URIs.
- Certificate management: Tools like Certbot auto-renew certificates. Cloud providers (AWS, Cloudflare) offer managed TLS termination at the load balancer.
- mTLS (Mutual TLS): In microservice architectures, both the client and server present certificates to authenticate each other — used in service meshes like Istio.
- Certificate pinning: Mobile apps can pin a specific certificate to prevent man-in-the-middle attacks even with compromised CAs.