Anshuman Singh ⚡️

Why HTTPS Alone Won’t Save You


security

Is Your Website Really Secure?

Let me tell you — if you think your website is using HTTPS and it’s protected and secure, then YOU ARE WRONG.
Almost 95% of HTTPS websites are vulnerable to Man-in-the-Middle (MITM) attacks.

In this post, I’m going to highlight the common mistakes people make when running their website on HTTPS.

What is a MITM Attack?

Suppose you’re connected to your Wi-Fi router and browsing the internet. Now, an attacker wants to intercept your network traffic to steal information. For that, they must position themselves between you and your router.

There are various ways to do this, such as:

  • ARP spoofing
  • DNS spoofing
  • Honeypots

Assume the attacker succeeds in placing themselves in the middle. They can now intercept all traffic between you and any website you’re visiting — this is a MITM attack.

Now, let’s get back to our original topic.

Mistake 1: Serving Landing Page Over HTTP and Authentication API in HTTPS

(Very bad approach, but rarely seen)

🛠 Exploit

If a user visits your website and the landing page is served over HTTP (even if the login API is in HTTPS), the attacker can:

  • Intercept the HTTP landing page
  • Replace all https:// occurrences with http://
  • Serve the modified page back to the user

Now, when the user enters credentials, the browser will send unencrypted login data via HTTP — making it easy for the attacker to sniff credentials.

Mistake 2: Implementing HTTP Redirect to HTTPS and Thinking It’s Safe

(Widely used and misunderstood approach)

You’ve learned from Mistake 1 and now enforce HTTPS on your server.
But if users access the site via http://yourdomain.com, here’s what happens:

  1. The browser sends a plain HTTP request.
  2. The attacker intercepts it and forwards it to your server.
  3. Your server responds with an HTTPS redirect (via Location header).
  4. The attacker establishes a secure HTTPS connection with your server, gets the response, and modifies all HTTPS links to HTTP.
  5. The victim’s browser now interacts over HTTP with the attacker, who is securely talking to your server in HTTPS.

This way, everything the victim does (logins, data submission) goes through the attacker, over an insecure HTTP connection.

Mistake 3: Using HTTPS + HSTS and Thinking It’s Safe

HSTS (HTTP Strict Transport Security) helps protect your site from SSL stripping.

When a site sends the Strict-Transport-Security header:

  • The browser remembers to always use HTTPS for future connections.
  • Even if the attacker tries to strip HTTPS, the browser refuses HTTP for that domain.

🚨 But There’s a Catch

This protection only begins after the first visit.
That first HTTP request can still be intercepted and modified by an attacker.

✅ Best Practice: Use HTTPS + HSTS + HSTS Preloading

HSTS Preloading is the ultimate fix. Here’s how it works:

  • Major browsers maintain a preloaded list of sites that must always use HTTPS.
  • If your site is on that list, the browser never attempts an HTTP connection, even on the first visit.
  • You must submit your domain to be included in this list.

Don’t worry — most popular websites like Facebook, LinkedIn, and banks already use HSTS Preloading. 😄

That’s All for Now 🙂

Stay safe and secure! 🔐

© 2025 Anshuman Singh