Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

Web Security Basics: HTTPS and SSL

Lesson 34 of 34 in the free Web Technologies notes on Siksha Sarovar, written by Rohit Jangra.

Web Security Basics: HTTPS and SSL

Why Web Security Matters

Web security protects data in transit, prevents attacks, and builds user trust. A single vulnerability can expose user credentials, payment information, or business data.

HTTP vs HTTPS

FeatureHTTPHTTPS
Port80443
EncryptionNoneTLS/SSL
Data integrityNot guaranteedVerified
AuthenticationNoneServer verified by CA
SEORanked lowerRanked higher
Browser indicator"Not Secure"🔒 padlock

SSL/TLS Explained

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the Internet.

TLS Handshake Process

Client (Browser)                    Server
     │                                │
     │──── ClientHello (TLS version, cipher list) ──────────►│
     │◄─── ServerHello (chosen cipher, certificate) ──────────│
     │     Verify certificate with CA                         │
     │──── Key exchange ──────────────────────────────────────►│
     │◄─── Finished ──────────────────────────────────────────│
     │                                                         │
     │◄═══════ Encrypted communication begins ════════════════►│

SSL Certificates

An SSL certificate binds a domain name to an organization's public key.

Types of SSL Certificates

TypeValidationUse Case
DV (Domain Validation)Domain ownership onlyPersonal/basic sites
OV (Organization Validation)Domain + organizationBusiness sites
EV (Extended Validation)Full legal verificationBanks, e-commerce
Wildcard*.example.comMultiple subdomains
SAN/Multi-domainMultiple domainsEnterprise

Getting a Free SSL Certificate

# Let's Encrypt (free, automated)
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

# Certificates auto-renew every 90 days
sudo certbot renew --dry-run

Common Web Security Threats

ThreatDescriptionPrevention
XSSInject malicious scriptsSanitize input, CSP headers
SQL InjectionManipulate database queriesParameterized queries
CSRFForce authenticated actionsCSRF tokens
MITMIntercept trafficHTTPS everywhere
ClickjackingOverlay deceptive UIX-Frame-Options header
Brute ForceGuess passwordsRate limiting, CAPTCHA

HTTP Security Headers

# Apache .htaccess
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'"

HTTPS Best Practices

  1. Redirect HTTP → HTTPS for all requests
  2. Use HSTS (HTTP Strict Transport Security)
  3. Keep SSL certificates up to date
  4. Use TLS 1.2 or 1.3 (disable older versions)
  5. Implement OCSP Stapling for faster certificate validation
  6. Use strong cipher suites
  7. Set secure and HttpOnly flags on cookies
<!-- Set secure cookie in HTML response -->
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict
Key Takeaway: HTTPS with TLS encrypts data in transit and verifies server identity. Use free Let's Encrypt certificates, enforce HTTPS redirects, set security headers, and sanitize all user input to build secure web applications.