Back to Blog
Guide7 min read2026-05-01

SSL/TLS Explained: How to Add HTTPS to Your Web App

Understand how SSL/TLS works, why HTTPS is non-negotiable, and how platforms like PandaStack automate certificate management.

SSL/TLS Explained: How to Add HTTPS to Your Web App

HTTPS is no longer optional. Browsers flag HTTP sites as "Not Secure." Search engines penalize them. Users don't trust them. This guide explains how SSL/TLS works and how to get HTTPS running on your web app — automatically.

What Is SSL/TLS?

SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). Both are cryptographic protocols that encrypt data in transit between a client (browser) and a server. When you see the padlock icon in a browser, TLS is active.

Despite SSL being deprecated in favor of TLS 1.2/1.3, people still use "SSL" colloquially. When someone says "SSL certificate," they mean a TLS certificate.

What TLS Actually Does

TLS provides three things:

  1. 1Encryption — Data is encrypted so eavesdroppers can't read it.
  2. 2Authentication — The certificate proves the server is who it claims to be.
  3. 3Integrity — Data cannot be tampered with in transit without detection.

The TLS Handshake (Simplified)

When a browser connects to your HTTPS server:

  1. 1Browser sends a "ClientHello" with supported TLS versions and cipher suites.
  2. 2Server responds with its certificate and chosen cipher suite.
  3. 3Browser verifies the certificate against trusted Certificate Authorities (CAs).
  4. 4Both sides derive a shared session key using asymmetric cryptography.
  5. 5All subsequent communication is encrypted with that session key.

Modern TLS 1.3 does this in one round trip, making it significantly faster than TLS 1.2.

Certificates and Certificate Authorities

A TLS certificate contains:

  • Your domain name (Common Name / Subject Alternative Names)
  • Your public key
  • A digital signature from a trusted CA (e.g., Let's Encrypt, DigiCert)

Browsers ship with a list of trusted root CAs. If your certificate is signed by one of them, browsers trust it automatically.

Let's Encrypt: Free, Automated Certificates

[Let's Encrypt](https://letsencrypt.org) is a free, automated, open CA that has made HTTPS accessible for everyone. It issues 90-day certificates and provides the ACME protocol for automated renewal.

PandaStack uses Let's Encrypt to automatically provision and renew TLS certificates for all custom domains — you add your domain in the dashboard and HTTPS is issued without any manual steps.

Manually Setting Up TLS with Certbot

If you're managing your own server:

# Install Certbot (Ubuntu/Debian)
sudo apt install certbot python3-certbot-nginx

# Issue a certificate for Nginx
sudo certbot --nginx -d example.com -d www.example.com

# Test auto-renewal
sudo certbot renew --dry-run

Certbot automatically edits your Nginx config to add HTTPS and sets up a systemd timer for renewal.

Nginx HTTPS Configuration

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    location / {
        proxy_pass http://localhost:3000;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

HSTS: HTTP Strict Transport Security

The Strict-Transport-Security header tells browsers to always use HTTPS for your domain — even if someone types http://:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Once set, browsers enforce HTTPS locally for the duration of max-age (in seconds). The preload directive adds your domain to browser HSTS preload lists — making it HTTPS-only at the browser level before the first visit.

Common HTTPS Issues

Mixed content: Your page is served over HTTPS but loads resources (images, scripts) over HTTP. Browsers block or warn. Fix by updating all asset URLs to use https:// or protocol-relative //.

Certificate mismatch: Certificate was issued for www.example.com but you're accessing example.com. Use Subject Alternative Names (SANs) to cover both.

Expired certificate: Let's Encrypt certs last 90 days. Always verify auto-renewal is working.

# Check certificate expiry
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

On PandaStack

When you deploy any app on PandaStack — static site, Docker container, managed WordPress — and add a custom domain via [dashboard.pandastack.io](https://dashboard.pandastack.io), a Let's Encrypt certificate is issued and renewed automatically. No Certbot, no cron jobs, no manual renewal. See [docs.pandastack.io](https://docs.pandastack.io) for domain setup instructions.

Conclusion

TLS is the foundation of web security. Understanding how certificates work, how Let's Encrypt automates issuance, and how to configure HTTPS correctly will make you a more capable developer. On managed platforms, this complexity is abstracted away — but knowing what happens under the hood is invaluable when things go wrong.

Ready to deploy?

Start free on PandaStack — no credit card required.

Start free on PandaStack

More in Guide

Browse all Guide articles →
Guide

Edge Functions Explained: What They Are and Why Your App Needs Them

2025-01-01

Guide

How We Cut Our Cloud Bill by 60% by Switching to PandaStack

2025-01-01

Guide

Add SSO Authentication to Any Web App in Minutes

2024-12-01

See also

ComparisonDocker vs Virtual Machines: Key Differences ExplainedComparisonTask Queues Explained: RabbitMQ, Bull, and Celery Compared