This article lives in:
Here’s a brief introduction to HTTPS for developers. 🔒
This article is extracted from the FastAPI docs about HTTPS.
I just upgraded those docs with several explanations and diagrams, and I thought the end result is generic and useful enough for many other developers (even in other languages and frameworks) to also publish it as a post, so here it is. 🤓
Who Is This For
If you are a user, your only interaction with HTTPS is with the browser opening URLs, then you are better off just reading How HTTPS Works.
If you are a cryptography researcher, you are better off studying the cryptographic primitives and then reading the standards (RFCs).
But if you are a developer (programmer, coder) and want to know enough technical details to understand how it works and how to use HTTPS in your applications without going into the depths of cryptography and web standards, then this is for you! 🎉👇
It is easy to assume that HTTPS is something that is just “enabled” or not.
But it is way more complex than that.
To learn the basics of HTTPS, from a consumer perspective, check https://howhttps.works/.
Now, from a developer’s perspective, here are several things to have in mind while thinking about HTTPS:
- For HTTPS, the server needs to have “certificates” generated by a third party.
- Those certificates are actually acquired from the third party, not “generated”.
- Certificates have a lifetime.
- They expire.
- And then they need to be renewed, acquired again from the third party.
- The encryption of the connection happens at the TCP level.
- That’s one layer below HTTP.
- So, the certificate and encryption handling is done before HTTP.
- TCP doesn’t know about “domains”. Only about IP addresses.
- The information about the specific domain requested goes in the HTTP data.
- The HTTPS certificates “certify” a…