
SSL certificate: why your website needs HTTPS
3 min read below · WebYes knowledge base
An SSL certificate encrypts traffic between visitor and website. Read how HTTPS works, which certificate types exist and how to check your site.
An SSL certificate (technically: TLS certificate) ensures traffic between the browser and your website is encrypted over HTTPS. Without a certificate, third parties can read or manipulate data, browsers show a warning and you lose trust and visibility.
How does SSL/TLS work in short?
When a visitor opens your site over HTTPS, the browser and server first negotiate an encrypted connection. The certificate proves the server really belongs to your domain, and the encryption ensures nobody along the way can read or alter passwords, payment details or form input.
The name SSL has stuck, but the underlying protocol has been called TLS (Transport Layer Security) for years. Modern servers use TLS 1.2 or 1.3; older versions are considered insecure and should be disabled.
Which types of certificates exist?
Certificates differ in how strictly the applicant is verified, not in the strength of the encryption. For most websites a free domain-validated certificate is enough.
| Type | What is verified | Who it is for |
|---|---|---|
| DV (domain validation) | Only that you control the domain | Almost every website; free via e.g. Let's Encrypt |
| OV (organisation validation) | Domain plus the organisation's registration | Businesses wanting extra recognisability |
| EV (extended validation) | Full legal verification of the organisation | Banks, insurers, payment services |
Encryption strength is identical across all three; the difference is the identity check.
Enforcing HTTPS with HSTS
Installing a certificate is step one; making sure visitors always arrive over HTTPS is step two. Set up an automatic redirect from HTTP to HTTPS and add the Strict-Transport-Security (HSTS) header. That header instructs browsers to access your site exclusively over HTTPS from then on, even when someone types the address without https.
HSTS is one of the security headers the WebYes scan checks within the security pillar. If the header is missing or the certificate has expired, you see it in the report immediately.
Common mistakes
The most frequent problems we see in scans: a certificate that quietly expired because auto-renewal was never set up, mixed content (an HTTPS page loading images or scripts over HTTP, which still triggers a browser warning), and old TLS versions left enabled on the server.
All of them are easy to prevent: enable auto-renewal, load all assets over HTTPS and have your hosting provider disable TLS 1.0 and 1.1.
Frequently asked questions
Is an SSL certificate mandatory?
No law literally demands a certificate, but in practice you cannot do without one. Browsers mark HTTP sites as 'not secure', unencrypted forms are a privacy risk under the GDPR and Google favours HTTPS pages in its search results.
What does an SSL certificate cost?
A domain-validated certificate is free through certificate authorities such as Let's Encrypt and is included with most hosting plans. Paid OV and EV certificates cost tens to hundreds of euros per year and mainly add identity verification, not stronger encryption.
How do I check whether my certificate is set up correctly?
Click the padlock in the address bar for the expiry date and issuer. For a full check, including TLS versions, redirects and HSTS, use the free WebYes scan: it tests the entire SSL configuration within the security pillar.
The WebYes scan measures this too
Scan your website for free on speed, security, mobile and accessibility and see where you stand.
Start free scan