Skip to main content

HTTPS.

Performance Best Practices

HTTP/2 and HTTP/3 require HTTPS — faster multiplexed connections

What does this check test?

This check verifies that the site is served over HTTPS (TLS/SSL). Beyond the well-known security benefits, HTTPS is a prerequisite for modern performance-enhancing protocols. HTTP/2 — which offers multiplexed requests, header compression, and server push — requires HTTPS in all major browsers. HTTP/3 (QUIC) also requires HTTPS and adds faster connection establishment (0-RTT) and improved loss recovery. Without HTTPS, the site is limited to HTTP/1.1, which uses sequential request queuing and requires multiple TCP connections for parallelism.

Why does it matter?

HTTP/2 multiplexing allows dozens of resources to download simultaneously over a single TCP connection, eliminating the HTTP/1.1 head-of-line blocking problem where browsers limited parallel downloads to 6 connections per origin. HTTP/2 header compression (HPACK) reduces overhead on every request. HTTP/3 further improves performance with QUIC transport that eliminates TCP head-of-line blocking and enables 0-RTT connection resumption. Sites on HTTP/1.1 (no HTTPS) load measurably slower because resources must queue and wait for available connections. HTTPS is also required for Service Workers, Brotli compression, and many modern web APIs.

Who is affected?

Every website should use HTTPS — it is now free via Let's Encrypt and a requirement for modern web features. Sites still on HTTP are penalized in Google search rankings, flagged as 'Not Secure' in browser address bars, and cannot use HTTP/2, HTTP/3, Service Workers, or Brotli compression. Legacy sites, development environments exposed to the internet, and sites behind older load balancers that do not terminate TLS are the most common offenders.

Where does this apply?

Check the protocol column in Chrome DevTools Network panel — resources should show 'h2' (HTTP/2) or 'h3' (HTTP/3), not 'http/1.1'. The Security panel shows TLS certificate details and any mixed content issues. Mixed content (HTTPS page loading HTTP resources) can also cause performance issues by preventing HTTP/2 for those resources and triggering browser security warnings.

How to fix it

Obtain a free TLS certificate from Let's Encrypt and enable HTTP/2. Full Nginx config with HTTPS, HTTP/2, HSTS, and OCSP stapling:
nginx 
server {
  listen 80;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  ssl_stapling on;
  ssl_stapling_verify on;
}
Fix mixed content by updating all resource URLs to use HTTPS or protocol-relative URLs. For HTTP/3, use a server that supports QUIC (nginx with quiche, Caddy, or Cloudflare/CDN). Consider TLS 1.3 for its faster handshake (1-RTT vs 2-RTT for TLS 1.2).

References

AppVet checks HTTPS automatically

Run a free performance scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks