The State of HTTP Security

What is the state of HTTP security today for the web? Are most people enabling HTTPS? Luckily, there's an open project that tracks this and more, which we will examine here.

The web primarily runs on HTTP, but to ensure the security, integrity, and privacy of end-to-end connections, clients communicate over a secure HTTP known as HTTPS.

The importance of a secure communications channel shouldn’t be underestimated. They should be a standard for any size of web applications, whether static or dynamic, and indeed HTTPS is more prevalent than ever.

An important push for HTTPS has been made by browsers themselves, such as Chrome’s continuous attempts to discourage the use of HTTP by portraying any such websites as potentially dangerous.

A prime example of this push is Chrome’s recent hardened policy about mixed content which actively blocks HTTP requests. This follows prior actions taken to increase the importance of security aspects of the web, such as:

Figure 3-1: Chrome DevTools new Security panel
Figure 3-1: Chrome DevTools new Security panel

The HTTP Archive

The HTTP Archive is an important initiative by web activists that is tracking various aspects and traits of how the web evolves over time. The projects in the HTTP archive are open source and managed by a community of developers.

Some of the well known reports that have been made public and online from the HTTP Archive are:

  • State of the Web: tracks the adoption of web technologies and growing web standards across websites. It reports on data points such as Total Requests, Pages with Vulnerable JavaScript libraries, and the prevalence of HTTP/2 Requests in websites, with an aim to identify trends.
  • State of JavaScript: tracks the overall impact of JavaScript in a website, with data points such as the size of JavaScript libraries in a website, the amount of JavaScript requests, and the boot-up time which indicates the amount of CPU time each script consumes on a webpage.
  • Accessibility Report: tracks an overall accessibility score as noted by Chrome’s LighthouseLighthouse tool and other accessibility traits and standards such as the use of Image Alt attributes.

The data for all HTTP Archive reports is made available via Google’s BigQuery for anyone to examine. It is compiled by analyzing Alexa’s top 1 million websites in bi-weekly scans using the open source project and the online web performance tool WebPageTest.

HTTPS Requests

Using the HTTP Archive as a tool, we can see the growth in trend of secure_by_defaultsecure_by_default with regards to HTTPS adoption by websites.

The earliest data point is January 2016, which states that 24% of desktop websites use HTTPS. This grew to a whopping 87.7% by August 2020 across the same category.

Figure 3-2: HTTP Archive's State of the Web - HTTPS Requests
Figure 3-2: HTTP Archive's State of the Web - HTTPS Requests

Secure Hosting

With the growth of HTTPS, static website hosting platforms have adjusted and adopted similar standards and help push towards a more secure web.

All of the following platforms for deploying and hosting your websites will serve your content over HTTPS:

  • Vercel
  • Netlify
  • Google’s Firebase
  • Heroku

This helps strengthen the ubiquity of HTTPS and its accessibility for small and large websites alike.

Let’s Encrypt has certainly contributed a lot to a secure web by making certificates affordable (completely free).