The State of HTTP Security
What is the state of HTTP security today for the web? Are most people enabling HTTPS? Luckily, there's an open project that tracks this and more, which we will examine here.
We'll cover the following
The web primarily runs on HTTP, but to ensure the security, integrity, and privacy of end-to-end connections, clients communicate over a secure HTTP known as HTTPS.
The importance of a secure communications channel shouldn’t be underestimated. They should be a standard for any size of web applications, whether static or dynamic, and indeed HTTPS is more prevalent than ever.
An important push for HTTPS has been made by browsers themselves, such as Chrome’s continuous attempts to discourage the use of HTTP by portraying any such websites as potentially dangerous.
A prime example of this push is Chrome’s recent hardened policy about mixed content which actively blocks HTTP requests. This follows prior actions taken to increase the importance of security aspects of the web, such as:
- Clearer indications of a website’s security based on green lock icon in the address bar
- A dedicated Security panel on Chrome’s DevTools
The HTTP Archive
The HTTP Archive is an important initiative by web activists that is tracking various aspects and traits of how the web evolves over time. The projects in the HTTP archive are open source and managed by a community of developers.
Some of the well known reports that have been made public and online from the HTTP Archive are:
- State of the Web: tracks the adoption of web technologies and growing web standards across websites. It reports on data points such as
Total Requests
,Pages with Vulnerable JavaScript libraries
, and the prevalence ofHTTP/2 Requests
in websites, with an aim to identify trends. - State of JavaScript: tracks the overall impact of JavaScript in a website, with data points such as the size of JavaScript libraries in a website, the amount of JavaScript requests, and the boot-up time which indicates the amount of CPU time each script consumes on a webpage.
- Accessibility Report: tracks an overall accessibility score as noted by Chrome’s
tool and other accessibility traits and standards such as the use ofLighthouse Lighthouse Image Alt
attributes.
The data for all HTTP Archive reports is made available via Google’s BigQuery for anyone to examine. It is compiled by analyzing Alexa’s top 1 million websites in bi-weekly scans using the open source project and the online web performance tool WebPageTest.
HTTPS Requests
Using the HTTP Archive as a tool, we can see the growth in trend of
The earliest data point is January 2016, which states that 24% of desktop websites use HTTPS. This grew to a whopping 87.7% by August 2020 across the same category.
Secure Hosting
With the growth of HTTPS, static website hosting platforms have adjusted and adopted similar standards and help push towards a more secure web.
All of the following platforms for deploying and hosting your websites will serve your content over HTTPS:
- Vercel
- Netlify
- Google’s Firebase
- Heroku
This helps strengthen the ubiquity of HTTPS and its accessibility for small and large websites alike.
Let’s Encrypt has certainly contributed a lot to a secure web by making certificates affordable (completely free).