What Is HTTPS?
HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP — the protocol your browser uses to load websites. The "S" stands for Secure, and it means all traffic between the visitor's browser and your server is encrypted using TLS (Transport Layer Security, commonly still called SSL).
When a site uses HTTPS:
- The browser shows a padlock icon in the address bar
- The URL starts with
https:// - Data in transit cannot be read or altered by third parties
When a site uses plain HTTP, everything is transmitted in clear text.
Why It Matters for Schools
Login credentials travel in plain text
If your school portal (SIS, LMS, email login) runs over HTTP, every username and password typed by staff or students is sent across the network unencrypted. Anyone on the same Wi-Fi — a student in the library, a visitor in the canteen — can capture these with free tools.
Form submissions are exposed
Enrollment forms, contact forms, and any page where students or parents submit personal information are all vulnerable on HTTP sites. This is a direct violation of RA 10173 (Data Privacy Act) obligations to protect personal data in transit.
Browsers now actively warn users
Chrome, Firefox, and Edge mark HTTP sites as "Not Secure" in the address bar. For school websites, this damages trust and may cause parents and students to abandon forms or logins.
Google and search engines penalize HTTP
Since 2018, Google has used HTTPS as a ranking signal. HTTP school sites rank lower in search results.
HTTP vs HTTPS: What the Difference Looks Like
| Scenario | HTTP | HTTPS |
|----------|------|-------|
| Login form submission | Password sent in plain text | Password encrypted |
| Enrollment form | Student data readable in transit | Data encrypted |
| Attacker on same Wi-Fi | Can read all traffic | Sees only encrypted noise |
| Browser indicator | "Not Secure" warning | Padlock icon |
What Is an SSL/TLS Certificate?
An SSL certificate is a digital document that:
- 1Proves your domain belongs to you (domain validation)
- 2Contains the encryption keys used to secure the connection
- 3Is issued by a trusted Certificate Authority (CA)
Certificates must be renewed periodically (typically every 90 days for free certificates, or 1–2 years for paid ones).
How to Get HTTPS for Free
Let's Encrypt is a free, automated certificate authority trusted by all major browsers. Most web hosts now offer one-click HTTPS setup using Let's Encrypt.
If your school uses cPanel hosting:
- 1Log in to cPanel
- 2Find SSL/TLS or AutoSSL
- 3Enable AutoSSL for your domain — it provisions and renews automatically
If your school uses Cloudflare:
- 1Add your domain to Cloudflare (free plan)
- 2Enable Always Use HTTPS in SSL/TLS settings
- 3Set SSL mode to Full (Strict)
If you manage your own server (Nginx/Apache):
Use Certbot to obtain and auto-renew a Let's Encrypt certificate:
```bash
sudo certbot --nginx -d yourschool.edu.ph
```
After Enabling HTTPS: Important Steps
- 1Redirect all HTTP to HTTPS — ensure
http://yourschool.edu.phautomatically redirects tohttps://yourschool.edu.ph - 2Update internal links — change hardcoded
http://links in your site tohttps:// - 3Fix mixed content — if your HTTPS page loads resources (images, scripts) over HTTP, browsers will block or warn about them
- 4Enable HSTS — once HTTPS is stable, add the HSTS header to prevent downgrade attacks (see the HSTS Explainer)
Check Your Site
The Site Scanner will tell you whether your school's site is running HTTPS, whether the certificate is valid, and whether HTTP redirects to HTTPS properly.
Related Resources
- HSTS Explained — the next step after enabling HTTPS
- Content Security Policy — prevent mixed content and injection attacks
- Site Scanner — check your site's HTTPS configuration now