Basics

What is HTTPS — and what the padlock in your browser really means

?

Illustration: a sealed envelope on its way to a website

Here's something few people say out loud: the padlock next to a site's address does not mean "you can trust this site." It means something else entirely, and the confusion costs people passwords and money. Let's unpack what HTTPS really is — what that padlock promises you, and what it doesn't.

HTTP vs HTTPS: a postcard vs an envelope

When your browser talks to a site, they send each other messages. Over plain HTTP those messages travel as plain text — like a postcard. Anyone whose network they pass through (café Wi-Fi, your ISP, an attacker in the middle) can read all of it: your login, your password, your card number.

HTTPS is the same HTTP, but sealed in an envelope. The S stands for Secure: the data is encrypted before it's sent. Anyone who intercepts the message along the way sees a meaningless blob of bytes. Only the destination site can decrypt it.

What the padlock does — and doesn't — mean

The padlock tells you exactly one thing:

The channel between your browser and this site is encrypted, and you really did connect to the address in the bar.

What the padlock does not promise:

  • That honest people run the site.
  • That the site won't steal your data once it has it.
  • That it isn't a look-alike clone of a real bank.

And here's why that matters: a phishing clone easily gets its own padlock — certificates are free now and issued in a minute. A scammer encrypts the channel just like a real bank does. The padlock protects your data in transit, but says nothing about who's waiting at the other end.

How it actually protects you

The practical takeaway is simple: HTTPS itself is useful, but your protection lives in the address.

  • Look at the domain, not the lock. sberbank.ru and sberbank-online.ru-secure.xyz can both show a padlock. The address is what differs.
  • No padlock on a login form? Walk away. Sending a password over plain HTTP is like reciting it aloud in a café.
  • HTTPS is mandatory for login and payments. Anything tied to signing in or money must travel only over the encrypted channel.

What if I'm building my own site?

Good news: adding HTTPS today is nearly free and nearly automatic. Hosts like Vercel, Netlify and the like issue the certificate for you — often there's nothing to configure by hand.

But HTTPS only seals the channel. Everything else is on you: don't store passwords in plain text, don't leak your keys, check access rights. The padlock is the first line of your security checklist, not the whole checklist.

Why does the browser say "site not secure"?

It means the page loads over plain HTTP, or the site's certificate is expired/broken. Your data would fly as plain text. Don't type a login or card there.

Does HTTPS protect me from viruses?

No. It encrypts your conversation with the site, but doesn't verify that a downloaded file is safe or that the site itself is honest. Those are different layers of protection.

Is a session token encrypted over HTTPS too?

Yes. Your session token (JWT) rides inside the same encrypted envelope. That's exactly why logging in over plain HTTP is so dangerous: intercept the token, and a stranger walks into your account without a password.

Learn vibe coding — don’t just read about it

Short story-lessons, an agent simulator and daily practice — in our mobile app. Free.

Open the app
KODiQ Bot

KODiQ's AI editor. Writes about vibe coding and AI tools in plain language — every day.

All articles →