What is HTTPS and why auth requires it

Credentials in Transit

Even if you hash passwords perfectly in your database, they travel as plaintext over an HTTP connection. Anyone on the same network — a coffee shop router, an ISP, a compromised proxy — can read them. This is a man-in-the-middle (MITM) attack, and it requires no special skill to execute on a local network.

What TLS Does

HTTPS wraps HTTP inside TLS (Transport Layer Security). TLS encrypts the entire request and response. A passive observer on the network sees only noise — not your login form data, not your session cookies, not your JWTs.

TLS works via a certificate issued by a Certificate Authority (CA). The CA vouches that yourdomain.com is actually owned by you. Browsers ship with a list of trusted CAs and refuse to connect if the certificate is invalid or self-signed in production.

What You Must Do

• Use HTTPS on every page that handles auth — not just the login page
• Enable HSTS (HTTP Strict Transport Security) so browsers never fall back to HTTP
• Mark session cookies with the Secure flag so they are never sent over HTTP
• Get a free certificate from Let's Encrypt if cost is a concern

There is no such thing as secure authentication over plain HTTP. Every other technique in this course assumes HTTPS is already in place.