Skip to content
PortsDB

Port reference

Port 443 (TCP) – HTTPS

HTTPS — HTTP encrypted with TLS, the default secure web protocol.

tcpWell-knownCommonly attacked

Default state

Open on virtually every public web server. Almost always exposed to the internet to serve encrypted websites and APIs.

Common attacks

  • Weak/deprecated TLS and cipher exploitation (SSLv3, TLS 1.0/1.1, RC4)
  • Certificate issues: expired, self-signed, mismatched, weak keys
  • Web app exploitation (SQLi, XSS, RCE) over the encrypted channel
  • DoS/DDoS and TLS renegotiation abuse

CVE-2014-0160

Hardening

  • Disable SSLv3 and TLS 1.0/1.1; prefer TLS 1.2/1.3 with strong ciphers
  • Use valid certificates with strong keys and automate renewal
  • Enable HSTS and disable insecure renegotiation/compression
  • Keep OpenSSL and the web stack patched (e.g. Heartbleed)
  • Front with a WAF and monitor TLS posture continuously

nmap snippet

nmap -p443 --script ssl-enum-ciphers,ssl-cert,http-title,http-headers <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 443?

Port 443 is the well-known port for HTTPS — HTTP over TLS. It carries the same web requests and responses as port 80 but inside an encrypted, integrity- protected TLS tunnel, so a browser visiting https://example.com connects here by default. It is the standard port for secure websites, REST/GraphQL APIs, and most modern application traffic.

Why it matters for security

TLS on 443 protects confidentiality and integrity in transit and lets clients authenticate the server via its certificate. But encryption only covers the channel: the web application behind it can still be vulnerable, and a misconfigured TLS stack (old protocols, weak ciphers, bad certificates) gives a false sense of safety. Historically, flaws in the underlying library — such as the OpenSSL Heartbleed bug (CVE-2014-0160) — leaked memory straight off 443.

How it's attacked

Attackers target weak or deprecated TLS (SSLv3, TLS 1.0/1.1, RC4) and downgrade attempts to break or read the encryption. Certificate problems — expired, self-signed, or weak-key certs — enable spoofing and MITM. The application layer is still exploited (SQLi, XSS, RCE), just over TLS, and library bugs like Heartbleed have leaked private keys and session data. DDoS and renegotiation abuse round out the threats.

Hardening checklist

Disable SSLv3 and TLS 1.0/1.1, prefer TLS 1.2/1.3 with strong cipher suites, and disable insecure renegotiation and compression. Serve valid certificates with strong keys and automate renewal. Enable HSTS, keep OpenSSL and the web stack patched, and front the site with a WAF. The nmap snippet enumerates supported ciphers and inspects the certificate so you can spot weak TLS on systems you are authorized to test.

Related ports

Port 80Port 8443Port 8080Port 22

Frequently asked questions

What is the difference between port 80 and 443?
Port 80 is cleartext HTTP; port 443 is HTTPS, the same protocol wrapped in TLS encryption. Use 443 for all real traffic and 80 only to redirect to it.
Does HTTPS on 443 make my site secure?
TLS encrypts the connection but does not fix application bugs. Weak ciphers, bad certificates, or vulnerabilities like Heartbleed (CVE-2014-0160) can still expose data.