Level 01 — Foundation

HTTPS Only

Just turn on TLS/SSL on your server. That's it. Nothing changes in your code.

01What it actually is

You buy an SSL certificate (or get a free one from Let's Encrypt) and configure it in Nginx, Apache, or Cloudflare. Your URL changes from http:// to https://. The browser shows a 🔒 padlock.

Your code stays exactly the same. TLS happens automatically below your code, at the network layer. Nothing in your Express handlers or Angular components needs to know it exists.

→ Real-world example

Your portfolio website, a blog, a marketing landing page. Anywhere there's no login, no user data, no sensitive information — just public content served safely.

02Node.js side

Plain old Express. Notice there is zero encryption code anywhere. The res.json() call sends plain JSON; the browser receives plain JSON. TLS encrypts the bytes in transit — your code never touches that layer.

server.js

JavaScript

// server.js — plain old Express, NO encryption code
const express = require('express');
const app = express();
app.use(express.json());

app.get('/api/users', (req, res) => {
  // Just send plain JSON. Browser sees plain JSON.
  res.json([
    { id: 1, name: 'Aarav', email: 'aarav@example.com' }
  ]);
});

app.listen(3000);

03Angular side

No crypto code anywhere. The only thing that matters is the URL — it must start with https://. The browser handles the rest.

users.component.ts

TypeScript

// users.component.ts — no crypto code anywhere
this.http.get('https://api.yoursite.com/users')
  .subscribe(data => this.users = data);

04What it protects (and what it doesn't)

Threat	Protected?	Why / Why not
Someone sniffing traffic on a coffee-shop Wi-Fi	Yes	TLS encrypts every byte in transit. Sniffer sees only ciphertext.
Man-in-the-middle attempting to alter responses	Yes	TLS authenticates the server via the certificate chain.
Anyone calling the API directly	No	There's no authentication — anyone with the URL can hit it.
A compromised server or leaked logs	No	Data is plaintext on the server. TLS only protects transit.

→ Where Level 1 fails

The moment you have users with their own data, Level 1 stops being enough. Anyone who knows the URL can fetch any user's data. You need authentication — that's Level 2.

05Key takeaways

Code complexity: Zero. You change DNS and certs, not code.
Server sees data: Yes — but only your server, no one in transit.
Use case: Public sites with no user accounts.
Required for: Everything. Even Levels 2, 3, and 4 sit on top of HTTPS. There is no excuse to ship over http:// in 2025.