HTTPS, TLS & CDNs
The 🔒 in your address bar, and the global network that makes sites fast and hard to take down. This is where “it’s secure and it’s fast” stops being magic.
⏱ ~16 min · 🔴 Advanced · Prerequisites: Lectures 1–4
🎯 What you’ll be able to do
- Explain what the 🔒 actually guarantees (and what it doesn’t)
- Walk through the TLS handshake and the role of certificates
- Describe what a CDN/reverse-proxy does and why Cloudflare sits in front of your site
- Explain caching and how a CDN absorbs DDoS attacks
Part 1 — HTTPS & TLS
The mental model
Plain HTTP is a postcard — every router between you and the server can read it. HTTPS puts the postcard in a sealed, tamper-evident envelope that only the real server can open. TLS is the protocol that creates that envelope.
What HTTPS guarantees (and what it doesn’t)
| ✅ HTTPS gives you | ❌ HTTPS does NOT give you |
|---|---|
| Encryption — eavesdroppers see gibberish | Proof the site is honest (scammers have HTTPS too) |
| Integrity — data can’t be silently altered | Protection once data is on the server |
Authentication — you reached the real ayrisglobal.com, not an impostor | Anonymity — your ISP still sees which domain you visited |
Certificates — the ID card
A TLS certificate is a file proving “this server really is ayrisglobal.com”, signed by a trusted Certificate Authority (CA). Your browser ships with a list of CAs it trusts; if the cert checks out, you get the 🔒.
Free certs changed the web
Let’s Encrypt made TLS certificates free and automatic. Today Cloudflare, Vercel, etc. provision and auto-renew them for you — you usually never touch a cert by hand. There’s no excuse for plain HTTP anymore.
The TLS handshake
Before any of this, the browser and server complete the TCP 3-way handshake (lecture 1) — TLS rides on top of an already-open TCP connection. Watch it set up, and watch what happens when a packet is lost:
After that TCP connection is open, before any HTTP:
Client → "Hello, here are the ciphers I support"
Server → "Hello, here's my certificate (proving I'm ayrisglobal.com)"
Client → verifies cert against trusted CAs ✅, then they agree on a shared secret key
Both → switch to encrypted communication 🔒
From here, every HTTP request/response is encrypted with that session key. This setup costs round-trips — another reason latency matters and CDNs help.
Part 2 — CDNs & reverse proxies
The mental model
A CDN (Content Delivery Network) is a fleet of servers spread across the globe that sit in front of your origin host. Instead of every visitor reaching your one server (maybe far away), they hit the nearest CDN edge — faster, and shielding your origin.
Without CDN: user in Tokyo ──────── long trip ────────► your server in Mumbai
With CDN: user in Tokyo ─► Tokyo edge (cached!) ┄┄(only if needed)┄┄► Mumbai origin
What sitting “in front” buys you
| Benefit | How |
|---|---|
| Speed | Cached static files served from an edge near the user |
| Lower origin load | Edges absorb most requests; your server sees a fraction |
| DDoS protection | A huge distributed network soaks up attack traffic before it reaches you |
| TLS termination | The CDN handles certs/encryption at the edge |
| Always-on tricks | WAF (firewall), bot filtering, redirects at the edge |
This is your Cloudflare setup
Your DNS is on Cloudflare, and Cloudflare proxies your traffic (the orange-cloud toggle). So Cloudflare is your CDN + reverse proxy + TLS provider + DNS all at once — visitors hit a Cloudflare edge, which serves cached content or forwards to your origin. That
cf-rayheader from lecture 4 is the edge announcing itself.
Caching — the core idea
The CDN keeps copies of things that don’t change per-user (images, CSS, JS, static pages) at the edge, governed by cache headers:
Cache-Control: public, max-age=31536000 → "cache this for a year" (great for versioned assets)
Cache-Control: no-store → "never cache" (personalized/sensitive responses)
Static frontends (lecture 4) are ideal here: nearly everything is cacheable, so almost no request ever touches an origin server.
⚠️ Common misconceptions
| Myth | Reality |
|---|---|
| ”The 🔒 means the site is safe/legit.” | It means the connection is encrypted and you reached the real domain. Phishing sites have 🔒 too. |
| ”HTTPS protects my data everywhere.” | Only in transit. Once on the server, server-side security takes over. |
| ”A CDN is only for big sites.” | Free CDN tiers make it the default even for tiny sites — speed + DDoS protection for nothing. |
| ”Caching will serve stale content forever.” | Cache headers + versioned filenames control exactly how long; you stay in control. |
🧪 Try it yourself
# Inspect the certificate and the TLS handshake in detail
curl -vI https://ayrisglobal.com # look for the TLS lines + cert
# See CDN/cache + security headers (cf-ray, cf-cache-status, server)
curl -I https://ayrisglobal.com
# Full cert chain + expiry (Mac/Linux)
echo | openssl s_client -connect ayrisglobal.com:443 -servername ayrisglobal.com 2>/dev/null | openssl x509 -noout -dates -issuer
A cf-cache-status: HIT means that response came straight from a Cloudflare edge cache — your origin never even saw the request.
✅ Check yourself
What three things does HTTPS guarantee?
Encryption (eavesdroppers see gibberish), integrity (data can’t be silently altered), and authentication (you reached the genuine domain). It does not guarantee the site is honest or that data is safe once on the server.
What is a TLS certificate and who signs it?
A file proving a server’s identity for a domain, signed by a trusted Certificate Authority (CA). Browsers trust a built-in list of CAs; a valid cert from one of them produces the 🔒.
Name three things a CDN does beyond making sites faster.
Reduces origin load (edges absorb most requests), provides DDoS protection (distributes/absorbs attack traffic), terminates TLS at the edge, and can run a firewall/bot-filtering/redirects close to users.
Why are static frontends a perfect fit for a CDN?
Almost everything they serve is identical for every user (HTML/CSS/JS/images), so it’s highly cacheable — edges can serve nearly all requests without ever touching an origin server.
The 🔒 is showing — does that mean the site is safe to hand my card to?
No. The 🔒 only means the connection is encrypted and you reached the real domain. It says nothing about the owner’s honesty — phishing sites get valid certs too. “Encrypted” and “trustworthy” are different questions.
Does TLS sit directly on the network, or on something else first?
On something else: TLS rides on top of an already-open TCP connection. The browser completes the TCP 3-way handshake first, then runs the TLS handshake over it, then sends encrypted HTTP. If TCP can’t connect, TLS never even starts.
What does Cloudflare's `cf-cache-status: HIT` tell you?
That response was served straight from a Cloudflare edge cache — your origin server never saw the request. A MISS means the edge had to fetch from your origin (and may now cache it for next time).
🙋 Still Unclear?
Paste any of these into Claude to go deeper:
Walk me through a full HTTPS request to ayrisglobal.com from the moment I press
Enter: DNS, TCP handshake, TLS handshake, then the encrypted HTTP exchange. Tell
me exactly what is and isn't encrypted at each step.
I have a certificate, a Certificate Authority, and a chain of trust. Explain how
my browser actually decides to trust a cert it has never seen before — what is it
checking, and what makes a self-signed cert fail?
Explain Cache-Control: max-age vs no-store with a concrete example for my static
site behind Cloudflare. Which of my files should be cached for a year and which
must never be cached, and why?
🤖 Why AI Can’t Do This For You
An AI can recite “TLS encrypts traffic” all day, but it can’t be the one who reads a curl -vI dump and spots that your cert expired last night, or notices a cf-cache-status: MISS on a file that should be a HIT and traces it to a wrong cache header. When a user reports “the site says not secure,” the value is in you knowing whether it’s an expired cert, a mixed-content asset, or a misconfigured proxy — and fixing it. The mental model of what the 🔒 guarantees (and what it quietly does not) is what stops you from trusting a phishing site or shipping a security hole. That judgment lives in your head, not in a prompt.
📚 Resources
- 🟢 Cloudflare — What is HTTPS / SSL / TLS: cloudflare.com/learning/ssl/what-is-https
- 🟢 Cloudflare — What is a CDN: cloudflare.com/learning/cdn/what-is-a-cdn
- 🟡 How HTTPS works (illustrated): howhttps.works
- 🔴 High Performance Browser Networking — TLS chapter: hpbn.co/transport-layer-security-tls
🧾 Key terms
TLS · the encryption protocol · HTTPS · HTTP over TLS · Certificate · signed proof of identity · CA · who signs certs · Handshake · key-agreement setup · CDN · global edge network · Reverse proxy · sits in front of your origin · Edge · a nearby CDN server · TLS termination · CDN handles encryption · Cache header · how long to keep a copy.
One-line summary
TLS wraps HTTP in an encrypted, authenticated envelope (the 🔒); a CDN puts cached copies near users in front of your origin — giving speed, lower load, free TLS, and DDoS protection. Cloudflare does all of this for your site at once.
Module done? Add it to today’s tracker