What is HTTPS and how does it protect your website?

Home / Everything About / Everything About Websites / What is HTTPS and how does it protect your website?

Switching a website from HTTP to HTTPS changes one letter in the address bar and changes everything about how data moves between the site and its visitors. HTTPS, short for Hypertext Transfer Protocol Secure, is the encrypted version of the protocol that websites use to send and receive data. It affects search rankings, shapes how browsers present your site to visitors, and determines whether personal information submitted through your pages is protected or exposed in transit. Knowing exactly what HTTPS does, and what it does not do, is what makes the difference between a genuinely secure setup and one that just looks the part.

HTTP is the foundation of data communication on the web. Every time a browser requests a page and the server delivers it, that exchange happens over HTTP. The problem is that unencrypted HTTP transmits data in plain text. Anyone with access to the network traffic between the browser and the server can read what is being sent. HTTPS solves this by layering encryption over that same communication through an SSL certificate. For a full explanation of how SSL certificates work, see the article on what an SSL certificate is and how it works.

What is the difference between HTTP and HTTPS?

How data travels

  • HTTP transmits data as plain text. A form submission over HTTP sends the visitor's input across networks in a format that can be read if intercepted
  • HTTPS encrypts data before it leaves the browser and decrypts it only when it reaches the server. Intercepted data is unreadable without the decryption key
  • This difference is invisible to visitors in normal use, but it determines whether the data they submit is protected or exposed in transit

What browsers show visitors

  • Sites served over HTTPS display a padlock icon in the browser address bar, indicating the connection is secure
  • Sites served over HTTP display a "Not secure" label. On pages with input fields, some browsers show a more prominent warning
  • Visitors who see the "Not secure" label before submitting a form or making a purchase are less likely to proceed

The role of the SSL certificate

  • HTTPS requires an SSL certificate installed on the server. The certificate is what makes encrypted connections possible
  • Without a valid certificate, the browser cannot establish a secure connection and displays a warning instead of loading the page normally
  • The certificate also verifies the website's identity, confirming that the domain belongs to the organization it claims to represent

How does HTTPS protect your visitors' data?

When a visitor connects to an HTTPS website, the browser and server establish an encrypted channel through a process called the TLS handshake. All data exchanged after that point is encrypted for the duration of the session.

What HTTPS protects

  • Contact form submissions, including names, email addresses, and message content
  • Login credentials, including usernames and passwords entered on your site
  • Payment information, including card numbers and billing details on checkout pages
  • Search queries entered into on-site search fields

What HTTPS does not protect

  • HTTPS encrypts data in transit but does not protect data once it is stored on the server. A database breach is a separate security issue that HTTPS does not prevent
  • HTTPS does not make a website immune to other attacks. SQL injection, cross-site scripting, and brute force attacks target the website itself rather than the data in transit
  • HTTPS is one part of a broader security posture, not a complete solution on its own

For a wider view of what threats websites face and how to address them, see the article on why website security is important.

How does HTTPS affect search rankings?

HTTPS is a confirmed ranking signal. Search engines use it as one of the factors when evaluating pages, and sites without HTTPS are at a disadvantage relative to equivalent pages served securely.

HTTPS as a direct ranking signal

  • Pages served over HTTPS have a ranking advantage over HTTP pages that are otherwise identical
  • For pages competing closely in rankings, HTTPS can be the factor that determines which one appears higher

The page experience connection

  • HTTPS is a component of the page experience signals that search engines evaluate alongside Core Web Vitals when assessing pages
  • A page that fails the HTTPS requirement does not fully meet the page experience criteria, which affects how it is treated relative to pages that do
  • For a full breakdown of what Core Web Vitals measure and how they factor into the page experience assessment, see the article on what Core Web Vitals are

Search result warnings

  • If a site is flagged for security issues, search engines can add warnings to its listing in results or reduce its visibility entirely
  • A site served over HTTP that also has other security problems can face compounding reductions in search visibility

Referral data accuracy

  • When a visitor clicks a link from an HTTPS site to an HTTP site, the referral source is stripped and the visit appears as direct traffic in analytics
  • Sites running on HTTP lose accurate referral data from HTTPS sources, which makes tracking marketing performance harder
  • HTTPS to HTTPS referrals pass the full referral information correctly

What is involved in moving a website to HTTPS?

Getting an SSL certificate

  • HTTPS requires an SSL certificate installed on the server. For websites hosted on platforms that include certificates, this happens automatically
  • For sites on self-managed servers, a certificate needs to be obtained from a certificate authority and installed manually

Updating internal links and asset references

  • After enabling HTTPS, all internal links and asset references (images, scripts, stylesheets) on the site should point to HTTPS URLs
  • Pages that load assets over HTTP while the page itself is served over HTTPS trigger mixed content warnings, which can negate the security benefit and cause browser warnings

Setting up redirects

  • A redirect from HTTP to HTTPS ensures that anyone who reaches the HTTP version is automatically sent to the secure version
  • Without a redirect, the site effectively has two versions of every page, which creates duplicate content issues and splits any link signals between them

Updating your sitemap and search console settings

  • After moving to HTTPS, update your XML sitemap to reflect the HTTPS URLs and resubmit it to search engines
  • If you use a search console account, add the HTTPS version of your site as a separate property and verify it

For a full guide on protecting your website beyond HTTPS, see the article on how to protect your website from hackers.

How WEMASY handles HTTPS

All websites built on WEMASY are served over HTTPS by default. SSL certificates are included on every plan and activated automatically when a site is created. There is no separate setup, no certificate to purchase, and no renewal process to manage.

Internal links, assets, and all content served through the platform use HTTPS URLs by default. Mixed content warnings are not a concern for WEMASY-hosted sites because the platform enforces HTTPS throughout. HTTP to HTTPS redirects are also handled at the platform level, so visitors and search engines are always directed to the secure version of the site.

See what is included at the WEMASY website builder, or review plan options on the pricing page.

Frequently asked questions

What does HTTPS mean?

Is HTTPS required for all websites?

Does HTTPS improve SEO?

What is the difference between HTTP and HTTPS?

Can a site have both HTTP and HTTPS pages?

Does HTTPS protect my website from hackers?