This note is about HTTPS, Hypertext Transfer Protocol Secure, used to keep HTTP communication secret over a public network.

HTTPS is basically HTTP on top of SSL/TLS. It means that all HTTP requests and their content are encrypted.

When you have secrets, you need HTTPS. You should setup HTTPS each time you have a web service that sends or receives confidential data. If you don't use HTTPS, everyone seeing those requests can read them.

Login functionality automatically means confidential data.

Always deploy HTTPS fully. All content and requests must be sent using HTTPS. Redirect any HTTP requests to HTTPS endpoints. Partial usage leaves security holes.

When you have a part of your website that does not use HTTPS,
logged in user can be redirected there and his cookies can be read
for full access.

Learn about HSTS. Enable HSTS (HTTP Strict Transport Security) to improve your security further. The web server declares that clients should only use HTTPS connections.

Use secure cookies. Add secure flag to cookies. Then clients only send them with HTTPS requests.

Sources

• A basic guide to when and how to deploy HTTPS
• HTTP Strict Transport Security - Wikipedia