Security & Compliance · Level 1

Mission briefing

Mission 5-A: A security auditor is poking at the site and pings the team: "Why is this page served over HTTP?" There's a small lock icon missing from the address bar on one page — and that tiny missing lock is apparently a real problem.

The Security Engineer

That page loads over plain HTTP instead of HTTPS. The 'S' means the connection is encrypted — scrambled so no one in between can read it. Without it, anything typed on that page travels in the open, readable by anyone snooping the network.

Tap to define:

The Security Engineer

The scrambling itself is encryption — turning readable data into nonsense that only the right key can unlock. HTTPS encrypts the conversation between the browser and the server. The missing lock icon means this one page isn't doing that.

Tap to define:

The Tech Lead

Two more words you'll hear constantly, and people mix them up: authentication is proving *who you are* — logging in. authorization is what you're *allowed to do* once you're in. Auth-n is the ID check at the door; auth-z is which rooms your badge opens.

Tap to define:

You

So the fix is forcing HTTPS on that page. And the auth distinction finally clicks — the "you're logged in but can't access this" state I keep designing is authorization, not authentication. Different screen, different message.

A page that collects user info is served over HTTP, not HTTPS. How serious is this?

Mission complete

+15 XP

Return to Security & Compliance →

The basics