Gcore named a Leader in the GigaOm Radar for AI Infrastructure!Get the report
  1. Home
  2. Developers
  3. Why is HTTP not secure? The difference between HTTP and HTTPS

Why is HTTP not secure? The difference between HTTP and HTTPS

  • By Gcore
  • February 28, 2023
  • 12 min read
Why is HTTP not secure? The difference between HTTP and HTTPS

HTTP, also known as Hypertext Transfer Protocol, serves as a language for your browser and web server to communicate over the internet. Every action on the Internet, from searching for recipes to online equity trading—you can do it thanks to HTTP data transfer. Although it is good to know how important HTTP is for successful data communication on the World Wide Web, it has one significant flaw: it is not secure. That’s where HTTPS (Hypertext Transfer Protocol Secure) comes into play. HTTPS is a secure protocol that uses encryption to protect the data transmitted between your browser and the server.

In this article, we’ll compare and contrast the differences between HTTP and HTTPS. Additionally, you’ll learn about the basics of HTTP and why it is not secure. By the time you finish reading, you will fully understand the importance of using HTTPS to secure your website and application.

Key points about HTTP

HTTP is a communication protocol. It enables the exchange of information between clients and servers over the internet, using a request-response model where the client (typically a web browser) sends an HTTP request to the server, and the server responds with an HTTP response.

For example, once you visit a website and type the URL in the browser, the browser sends an HTTP request to the server, which then sends back the requested web page.

HTTP is a stateless protocol. The protocol itself does not retain any information about previous requests—it doesn’t “remember” at end points and therefore each request from the client is treated as new. That being said, services using HTTP require the ability to associate multiple requests from the same browser and cookies function as unique identifiers stored in browsers to help applications retrieve session data.

For example, when you bypass entering login credentials while visiting the same site repeatedly—that’s a cookie in action (and HTTP is transferring that info unencrypted, which we address in the next section).

HTTP is a text-based protocol. HTTP uses a set of standardized messages to facilitate communication between clients and servers. These messages include HTTP methods (such as GET, POST, PUT, and DELETE) and status codes (such as “200 OK,” “404 Not Found,” and “500 Internal Server Error”). We’ll dive into these concepts in more detail later.

For example, when you click a link on a web page, the browser sends an HTTP GET request to the server to retrieve the linked page, and the server responds with a 200 OK status code and the HTML for the new page.

How does HTTP work?

It works by following a set of rules for formatting messages that are sent between the client (e.g. a web browser) and the server that hosts the requested web page. Here’s how:

  1. A client sends an HTTP request to the web server. When a user enters a website address (URL) and presses “enter” on their device, the client sends an HTTP request to the web server. The request contains specific details about the requested resource, such as the type of request (e.g., GET, POST), headers (metadata about the request), and a message body (optional).
  2. The web server receives the request. The server processes it, and sends back an HTTP response to the client. The response contains information about the requested resource, such as the HTTP version, status code, headers (metadata about the response), and a message body (optional).
  3. The client receives the response. It now renders the content in the browser window.

For instance, say you’re planning a movie night with friends and you’re interested in checking out some reviews for the latest releases. While connected to the internet, you might type in “http://imdb.com” into your browser’s address bar, and the browser will do the rest, connecting to the server and returning the web page to you.

What is HTTP request and response?

An HTTP request is a message generated by the client (usually your browser) that is sent to the server. For instance, if you search for a “reliable CDN at an affordable price” on Google, you might click on one of the websites in the search results. Once you click on that link, your browser generates an HTTP request for you to visit the site and get that information.

Here are the following components in the HTTP request:

  • HTTP method. This is the type of request that a browser (client) sends to the server to initiate an action. The most commonly used HTTP methods are GET, POST, PUT, DELETE and PATCH. Each method has a specific purpose and can perform different types of operations on the server. For example, when you open a website about CDNs, you send a GET request. It’s called “get” because such a request helps to get the content of the website.
  • URL. This stands for “uniform resource locator” and it refers to the address of the page you are trying to access. For example, you may visit the https://gcore.com address because we provide a CDN.
  • Resource path. The part of a URL that identifies a specific resource on a server. This portion of the URL comes after the domain name and any subdirectories. For example, in the URL “https://gcore.com/cdn/gaming,” the resource path is “/cdn/gaming.” The server uses the resource path to locate and retrieve the requested resource, such as a web page, an image, or any other data type.
  • HTTP protocol version. This is a number indicating the version of the HTTP protocol being used for a particular request or response. The HTTP protocol has gone through several versions, including HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2 and HTTP/3. Each version has its own features and improvements over the previous versions.
  • Request headers. These are a list of additional details included in an HTTP request to provide more context and information about the request being made. For example, it can include the type of browser being used, the language preferences of the user, and the type of content being requested.
  • HTTP body. This is the optional data that your browser sends as part of the HTTP request. The HTTP body might contain HTML, JSON, XML, or any other type of content that the client wants to send.

In this example, the client uses the GET method with index.html as the resource path for the URL www.example.com with HTTP/1.1 protocol version. This also includes request headers that provide more information such as the type of browser (Mozilla/5.0) and what language and type of content.

Now that you’re familiar with HTTP requests, let’s discuss what HTTP response is.

An HTTP response is the message that a server sends to a client after receiving an HTTP request. It contains the data that the client requested, such as a web page or a file, along with additional information such as the status of the request and any headers. The response is typically sent using the HTTP protocol and can be customized based on the specific request from the client.

HTTP responses generally consist of the following information:

  • HTTP protocol version. Same with HTTP request, it indicates what protocol version was being used for a certain request or response. The standard versions are HTTP/1.1, HTTP/2 and HTTP/3.
  • HTTP status code. The HTTP status code is a three-digit code that a server sends back to the client in response to its request. This code indicates the success, failure, or other status of the request. For example, the “200 OK” status means that the request succeeded.
  • Status message. A server generates an HTTP response and sends it to a client with the purpose of fulfilling the client’s request for a resource, notifying the client that the requested action has been completed, or indicating that an error occurred during the processing of the request.
  • Response headers. An HTTP response header is a section of a network packet that a web server transmits to a web browser or client device in response to an HTTP request. Its purpose is to provide additional information about the server’s response and the requested resource. The header also facilitates the transfer of web content and other web-based data from the server to the browser of the end-user who requested it during web communications.

In this example, the response headers indicate that the server responded with an HTTP 200 OK status code on November 15, 2022 at 9:12:31 GMT. It says here that the server is running Apache version 2.4.6 (CentOS). Then, based on the response, the content type is text/html, telling us that the response body (which is the content) contains an HTML code. From here, it tells us that the content length is 1274 bytes, indicating the overall size of the content.

Why is HTTP not secure?

HTTP does not encrypt data during client-to-server communication, which means that any data transmitted over HTTP is sent in plain text without any encryption or security mechanisms. As a result, it can be intercepted and read by anyone with access to the network traffic, including cybercriminals. Additionally, HTTP does not provide any authentication, making it vulnerable to man-in-the-middle attacks. Attackers can eavesdrop on communication between a server and a client, resulting in the theft of personal information such as login credentials and credit card numbers.

For instance, say you set up an e-commerce website that sells shoes and you take online payments. If your website uses HTTP, chances are high that users’ credentials and other account details can be easily intercepted and stolen by cybercriminals.

Therefore, using HTTP on a website or application can indeed lead to various security risks and potential losses, including data theft, legal liabilities and negative impact on business revenue. Here are just a few examples of the consequences possible when relying on HTTP:

Consequences of Using HTTPPotential Losses
Loss of customer trustCustomers may lose trust in the business due to the lack of security on the website. This will lead them to take their business elsewhere.
Data breachesUsing HTTP can put sensitive customer information at risk of being stolen by hackers. This can result in legal issues, fines, and a damaged reputation.
SEO disadvantagesWebsites using HTTP are likely to rank lower in search results compared to HTTPS websites. This can result in decreased website traffic and revenue.
Liability issuesIf a data breach occurs on a website using HTTP, the business owner may be held liable for damages, fines, and legal fees.
Lost revenueData breaches and loss of customer trust directly translate to lost revenue for the business.

How do I know if a website is secure?

There are two easy steps to check if your site is secure.

  1. Check the URL of the website in the address bar. If the beginning of the URL says “http” and not “https”—for example, “http://example.com”—it means that your connection to the site is not secure. This lack of encryption can potentially compromise the security of user data.

  1. Check the security status symbol. On the web address bar, there are symbols that tell us the security of the connection. As an example, with Google Chrome, a padlock icon typically indicates a secure connection, while a not secure icon indicates an unsafe connection. The Info icon may appear in different contexts, such as when displaying additional information about the website or if it’s not secure.

Once you become aware of the security symbols in web browsers, it’s easier to distinguish whether a website is secure. If you own a website and it’s still using HTTP, it’s highly recommended to switch to HTTPS to improve security for potential customers.

What is HTTPS?

HTTPS, short for Hypertext Transfer Protocol Secure, is a more secure version of HTTP. Unlike HTTP, HTTPS encrypts the communication between a web browser and a website, making it more difficult for hackers to eavesdrop, tamper with, or forge data.

This enhanced security makes HTTPS the preferred protocol for online transactions, including online banking and e-commerce, where sensitive information like credit card numbers, passwords, and personal details are transmitted over the internet.

By encrypting data and verifying website identity, HTTPS provides a safe way for users to share and receive information online without worrying about the security of their data.

How does HTTPS work?

HTTPS secures communication between the client and server using asymmetric encryption, a significant improvement over HTTP’s plain text. The encryption protocol used in HTTPS is called Transport Layer Security (TLS). In other words, when a website uses HTTPS, it signifies that the TLS standard is being used to encrypt the data being transmitted between parties. In order to do this, a valid SSL certificate should be installed on the server. From that point, a website can switch from HTTP to HTTPS and activate the lock icon in the address bar.

At its core, TLS provides three key services: encryption, authentication, and data integrity.

  • Encryption. TLS uses encryption to protect data transmitted between clients (e.g., a browser or a native app) and servers. With TLS encryption, plaintext data is transformed into an unreadable text (called ciphertext) that only those with the secret key can access or decrypt. This helps to keep the data secure and protected from unauthorized users.
  • Authentication. TLS assists in confirming the server and the client identity verification. This is crucial, since it makes sure that the client is speaking with the correct server and not an imposter who might try to steal information.
  • Data integrity. TLS aids in preventing data modification or tampering while it is being transmitted. This proves that the information sent by servers and received by clients is accurate and hasn’t been changed in any way.

What are the benefits of using HTTPS?

As you continue reading and learn more about how HTTPS works, you may be curious about the benefits of using it as either a website owner or a regular user. Is it really worth it to switch from HTTP to HTTPS? And what advantages does HTTPS bring to the table? Here are the benefits:

  1. Data encryption and integrity. HTTPS uses encryption to protect sensitive data that users send and receive on a website, such as login credentials or credit card information. It also ensures data integrity where the data being transmitted between the user’s browser and the web server has not been tampered with or altered during transmission. This can help prevent hackers from intercepting or stealing this data.
  2. Authentication. HTTPS verifies that the website that a user is visiting is the authentic website and not an impostor. This can help prevent phishing attacks and build trust with visitors.
  3. Improved SEO. Google uses HTTPS as a ranking signal, so websites that use HTTPS may rank higher in search results than those that don’t.
  4. Regulatory compliance. Many industries have regulatory requirements for data security and privacy, and using HTTPS can help meet these requirements.
  5. Boost brand reputation. Alert signs for non-HTTPS websites are displayed by popular web browsers like Chrome and Firefox, which may discourage visitors and damage a website’s credibility. These warnings can be avoided by using HTTPS.

HTTP vs. HTTPS—What’s the difference?

Both HTTP and HTTPS are protocols used for transferring data between web browsers and web servers. However, the main difference between the two is the level of security they offer. HTTPS uses SSL/TLS protocols to authenticate both the web browser and the web server, ensuring that data transmitted between them is encrypted and secure. In contrast, HTTP doesn’t use any encryption protocol, leaving data vulnerable to interception and unauthorized access.

Now that you have learned about the benefits of HTTPS and the potential drawbacks of using HTTP, let’s compare the two in real-life situations to understand how they can differ in impacting your business.

FeatureHTTPHTTPSReal-life example
Data SecurityNot secure, as data is transmitted in plain textSecure, as data is encrypted between the web browser and the web serverWithout HTTPS, sensitive data such as customer login credentials and payment details are vulnerable to interception and theft by hackers. For example, a business that processes credit card transactions on their website would need to use HTTPS to ensure their customers’ financial information is kept safe.
Search Engine Optimization (SEO)Not a ranking factor for SEOA ranking factor for SEO, as Google prefers secure websitesHTTPS can give a business an SEO advantage over non-HTTPS websites. For example, an e-commerce site that uses HTTPS may rank higher in Google search results for certain keywords compared to a competitor site that doesn’t use HTTPS.
Brand ReputationLack of HTTPS can harm a business’ reputation and deter potential customersHTTPS can improve a business’ reputation and instill trust in customersWithout HTTPS, customers may perceive a business as untrustworthy and be less likely to make purchases or share personal information on the site. For example, a medical practice that uses HTTPS to protect patient data can gain a reputation for taking security seriously and earn the trust of its patients.
Legal ComplianceLack of HTTPS could lead to legal issues and finesHTTPS is increasingly becoming a legal requirement for businesses that process sensitive dataIn some industries, such as healthcare and finance, businesses are required by law to protect sensitive data using HTTPS. For example, a financial institution that doesn’t use HTTPS could face legal repercussions for failing to meet data protection standards.

How to convert from HTTP to HTTPS

Now that you understand the advantages of using HTTPS, you may be wondering how to make the switch from HTTP to HTTPS. To enable HTTPS on your website, you typically need to obtain an SSL/TLS certificate and configure your web server to use it.

  1. Obtain an SSL/TLS certificate. This can be done by purchasing a SSL certificate from a trusted Certificate Authority (CA) or by using a free one like Let’s Encrypt. To obtain an SSL certificate, you will need to provide certain information such as your domain name, organization name (if applicable), and contact details. This information will be used to generate a Certificate Signing Request (CSR), which you will then pass on to the Certificate Authority (CA) to obtain the SSL certificate. Please note that specific information may vary depending on the type of SSL certificate you’re using.
  2. Install the certificate on your web server. The installation process will vary depending on your web server software. Generally, you’ll need to configure your web server to use the certificate and private key you obtained in the previous step. This makes your website available over HTTPS and ensures that the encryption key is in place.
  3. Update your website links. Once the certificate is installed, you’ll need to update your website links to use HTTPS instead of HTTP. This includes updating all internal links, as well as any external links you may have on your site. This step ensures that all content on your website is available over HTTPS and that there are no content warnings.
  4. Test your site. After you’ve enabled HTTPS on your site, it’s important to test it to ensure that everything is working properly. You can use various online tools to check for SSL/TLS certificate errors and mixed content warnings. This step further ensures that your website is available over HTTPS and that there are no errors or warnings that could impact user experience or search engine ranking.

How does Gcore help website owners to enable HTTPS encryption?

At Gcore, we are dedicated to helping our clients to make the switch from HTTP to HTTPS.

With any of our CDN plans, you can issue a free Let’s Encrypt SSL certificate for all domains associated with your Gcore account. Also, you can install a custom SSL certificate from another provider. When the certificate is installed, you can switch from HTTP to HTTPS in a few clicks.

Furthermore, we offer various paid SSL certificates to cater to different industries and sectors. Let’s delve into each of the SSL certificate types we provide:

Certificate TypeDescriptionBest for
DV certificate with domain validationThis certificate is useful for protecting basic web pages such as personal websites and blogs.
A Domain Validated (DV) certificate is a type of SSL certificate that provides basic encryption and is issued within minutes. It is typically the most affordable type of SSL certificate and offers the lowest level of validation. An example of a DV certificate is the Let’s Encrypt SSL certificate.
Blogs, informational websites
OV certificate with organization validationThis certificate is required for e-commerce and online sales.
An OV certificate identifies the website owner and contains a company name. Fraudsters will not be able to pass the validation check and get this certificate.
Once this certificate is obtained, a company name is displayed in the browser bar. Such websites are more trustworthy for visitors.
Online stores, websites that require its users to log in
IDN certificateThis certificate supports domains in native language characters.
If your website domain name does not contain ASCII characters, you’ll need to get an IDN certificate.
Domain and subdomain. Domain names that use non-English languages
Wildcard certificateThis certificate covers both the domain and its subdomains.
Subdomains must have the same second-level domain name (i.e., domain.com).
Mail server, online banking services, social media platform

To review the price of each certificate, check out our pricing comparison.

Conclusion

In summary, HTTP is a protocol that is vulnerable to attacks, while HTTPS is a secure version of HTTP that uses encryption to protect data in transit.

Fortunately, switching to HTTPS is a relatively simple process, and Gcore CDN service allows users to enable HTTPS encryption for free using Let’s Encrypt certificate. However, using a free SSL certificate has its limitations. Gcore has this covered as well, offering SSL certificates with various validation levels, including DV, OV, IDN, and Wildcard, giving website owners several options to choose from based on their specific requirements. Finally, seeking guidance from experts can help website owners ensure their websites are adequately secured and protected from potential threats.

Related articles

3 use cases for geo-aware routing with Gcore DNS

If your audience is global but you’re serving everyone the same content from the same place, you're likely sacrificing performance and resilience. Gcore DNS (which includes a free-forever plan and enterprise-grade option) offers a straightforward way to change that with geo-aware routing, a feature that lets you return different DNS responses based on where users are coming from.This article breaks down how Gcore's geo-routing works, how to set it up using the GeoDNS preset in dynamic response mode, where it shines, and when you might be better off with a different option. We’ll walk through three hands-on use cases with real config examples, highlight TTL trade-offs, and call out what developers need to know about edge cases like resolver mismatch and caching delays.What is geo-aware DNS routing?Gcore DNS lets you return different IP addresses based on the user’s geographic location. This is configured using dynamic response rules with the GeoDNS preset, which lets you match on continent, country, region, ASN, or IP/CIDR. When a user makes a DNS request, Gcore uses the resolver’s location to decide which record to return.You can control traffic to achieve outcomes like:Directing European users to an EU-based CDN endpointSending users in regions with known service degradation to a fallback instanceBehind the scenes, this is done by setting up metadata pickers and specifying fallback behavior.For step-by-step guidance, see the official docs: Configure geo-balancing with Dynamic response.How to configure GeoDNS in Gcore DNSTo use geo-aware routing in Gcore DNS, you'll configure a dynamic response record set with the GeoDNS preset. This lets you return different IPs based on region, country, ASN, or IP/CIDR metadata.Basic stepsGo to DNS → Zones in the Gcore Customer Portal. (If you don’t have an account, you can sign up free and use Gcore DNS in just a few clicks.)Create or edit a record set (e.g., for app.example.com).Switch to Advanced mode.Enable Dynamic response.Choose the GeoDNS preset.Add responses per region or country.Define a fallback record for unmatched queries.For detailed step-by-step instructions, check out our docs.Once you’ve set this up, your config should look like the examples shown in the use cases below.Common use casesEach use case below includes a real-world scenario and a breakdown of how to configure it in Gcore DNS. These examples assume you're working in the DNS advanced mode zone editor with dynamic response enabled and the GeoDNS preset selected.The term “DNS setup” refers to the configuration you’d enter for a specific hostname in the Gcore DNS UI under advanced mode.1. Content localizationScenario: You're running example.com and want to serve language-optimized infrastructure for European and Asian users. This use case is often used to reduce TTFB, apply region-specific UX, or comply with local UX norms. If you're also localizing content (e.g., currency, language), make sure your app handles that via subdomains or headers in addition to routing.Objective:EU users → eu.example.comAsia users → asia.example.comAll others → global.example.comDNS setup:Host: www.example.comType: A TTL: 120 Dynamic response: Enabled Preset: GeoDNS Europe → 185.22.33.44 # EU-based web server Asia → 103.55.66.77 # Asia-based web server Fallback → 198.18.0.1 # Global web server2. Regional CDN failoverScenario: You’re using two CDN clusters: one in North America, one in Europe. If one cluster is unavailable, you want traffic rerouted regionally without impacting users elsewhere. To make this work reliably, you must enable DNS Healthchecks for each origin so that Gcore DNS can automatically detect outages and filter out unhealthy IPs from responses.Objective:North America → na.cdn.example.comEurope → eu.cdn.example.comEach region has its own fallbackDNS setup:Host: cdn.example.comType: A TTL: 60 Dynamic response: Enabled Preset: GeoDNS North America → 203.0.113.10 # NA CDN IP Backup (NA region only) → 185.22.33.44 # EU CDN as backup for NA Health check → Enabled for 203.0.113.10 with HTTP/TCP probe settingsEurope → 185.22.33.44 # EU CDN IP Backup (EU region only) → 203.0.113.10 # NA CDN as backup for EU Health check → Enabled for 185.22.33.44Note: Multi-level fallback by region isn’t supported inside one rule set—you need to separate them to keep routing decisions clean.3. Traffic steering for complianceScenario: You need to keep EU user data inside the EU for GDPR compliance while routing the rest of the world to lower-cost infrastructure elsewhere. This approach is useful for fintech, healthcare, or regulated SaaS workloads where regulatory compliance is a challenge.Objective:EU users → EU-only backendAll other users → Global backendDNS setup:Host: transactions.example.com Type: A TTL: 300 Dynamic response: Enabled Preset: GeoDNS Europe → 185.10.10.10 # EU regional API node Fallback → 198.51.100.42 # Global API nodeEdge casesGeoDNS works well, but it’s worth keeping in mind a few edge cases and limitations when you get set up.Resolver location ≠ user locationBy default, Gcore uses ECS (EDNS Client Subnet) for precise client subnet geo-balancing. If ECS isn’t present, resolver IP is used, which may skew location (e.g., public resolvers, mobile carriers). ECS usage can be disabled in the ManagedDNS UI if needed.Caching slows failoverEven if your upstream fails, users may have cached the original IP for minutes. Fallback + TTL tuning are key.No sub-regional precisionYou can route by continent, country, or ASN—but not city. City-level precision isn’t currently supported.Gcore delivers simple solutions to big problemsGeo-aware routing is one of those features that quietly solves big problems, especially when your app or CDN runs globally. With Gcore DNS, you don’t need complex infrastructure to start optimizing traffic flow.Geo-aware routing with Gcore DNS is a lightweight way to optimize performance, localize content, or handle regional failover. If you need greater precision, consider pairing GeoDNS with in-app geolocation logic or CDN edge logic. But for many routing use cases, DNS is the simplest and fastest way to go.Get free-forever Gcore DNS with just a few clicks

Flexible DDoS mitigation with BGP Flowspec cover image

Flexible DDoS mitigation with BGP Flowspec

For customers who understand their own network traffic patterns, rigid DDoS protection can be more of a limitation than a safeguard. That’s why Gcore supports BGP Flowspec: a flexible, standards-based method for defining granular filters that block or rate-limit malicious traffic in real time…before it reaches your infrastructure.In this article, we’ll walk through:What Flowspec is and how it worksThe specific filters and actions Gcore supportsCommon use cases, with example rule definitionsHow to activate and monitor Flowspec in your environmentWhat is the BGP Flowspec?BGP Flowspec (RFC 8955) extends Border Gateway Protocol to distribute traffic filtering rules alongside routing updates. Instead of static ACLs or reactive blackholing, Flowspec enables near-instantaneous propagation of mitigation rules across networks.BGP tells routers how to reach IP prefixes across the internet. With Flowspec, those same BGP announcements can now carry rules, not just routes. Each rule describes a pattern of traffic (e.g., TCP SYN packets >1000 bytes from a specific subnet) and what action to take (drop, rate-limit, mark, or redirect).What are the benefits of the BGP Flowspec?Most traditional DDoS protection services react to threats after they start, whether by blackholing traffic to a target IP, redirecting flows to a scrubbing center, or applying rigid, static filters. These approaches can block legitimate traffic, introduce latency, or be too slow to respond to fast-evolving attacks.Flowspec offers a more flexible alternative.Proactive mitigation: Instead of waiting for attacks, you can define known-bad traffic patterns ahead of time and block them instantly. Flowspec lets experienced operators prevent incidents before they start.Granular filtering: You’re not limited to blocking by IP or port. With Flowspec, you can match on packet size, TCP flags, ICMP codes, and more, enabling fine-tuned control that traditional ACLs or RTBH don’t support.Edge offloading: Filtering happens directly on Gcore’s routers, offloading your infrastructure and avoiding scrubbing latency.Real-time updates: Changes to rules are distributed across the network via BGP and take effect immediately, faster than manual intervention or standard blackholing.You still have the option to block traffic during an active attack, but with Flowspec, you gain the flexibility to protect services with minimal disruption and greater precision than conventional tools allow.Which parts of the Flowspec does Gcore implement?Gcore supports twelve filter types and four actions of the Flowspec.Supported filter typesGcore supports all 12 standard Flowspec match components.Filter FieldDescriptionDestination prefixTarget subnet (usually your service or app)Source prefixSource of traffic (e.g., attacker IP range)IP protocolTCP, UDP, ICMP, etc.Port / Source portMatch specific client or server portsDestination portMatch destination-side service portsICMP type/codeFilter echo requests, errors, etc.TCP flagsFilter packets by SYN, ACK, RST, FIN, combinationsPacket lengthFilter based on payload sizeDSCPQuality of service code pointFragmentMatch on packet fragmentation characteristicsSupported actionsGcore DDoS Protection supports the following Flowspec actions, which can be triggered when traffic matches a specific filter:ActionDescriptionTraffic-rate (0x8006)Throttle/rate limit traffic by byte-per-second rateredirectRedirect traffic to alternate location (e.g., scrubbing)traffic-markingApply DSCP marks for downstream classificationno-action (drop)Drop packets (rate-limit 0)Rule orderingRFC 5575 defines the implicit order of Flowspec rules. The crucial point is that more specific announcements take preference, not the order in which the rules are propagated.Gcore also respects Flowspec rule ordering per RFC 5575. More specific filters override broader ones. Future support for Flowspec v2 (with explicit ordering) is under consideration, pending vendor adoption.Blackholing and extended blackholing (eBH)Remote-triggered blackhole (RTBH) is a standardized protection method that the client manages via BGP by analyzing traffic, identifying the direction of the attack (i.e., the destination IP address). This method protects against volumetric attacks.Customers using Gcore IP Transit can trigger immediate blackholing for attacked prefixes via BGP, using the well-known blackhole community tag 65000:666. All traffic to that destination IP is dropped at Gcore’s edge.The list of supported BGP communities is available here.BGP extended blackholeExtended blackhole (eBH) allows for more granular blackholing that does not affect legitimate traffic. For customers unable to implement Flowspec directly, Gcore supports eBH. You announce target prefixes with pre-agreed BGP communities, and Gcore translates them into Flowspec mitigations.To configure this option, contact our NOC at noc@gcore.lu.Monitoring and limitationsGcore can support several logging transports, including mail and Slack.If the number of Flowspec prefixes exceeds the configured limit, Gcore DDoS Protection stops accepting new announcements, but BGP sessions and existing prefixes will stay active. Gcore will receive a notification that you reached the limit.How to activateActivation takes just two steps:Define rules on your edge router using Flowspec NLRI formatAnnounce rules via BGP to Gcore’s intermediate control planeThen, Gcore validates and propagates the filters to border routers. Filters are installed on edge devices and take effect immediately.If attack patterns are unknown, you’ll first need to detect anomalies using your existing monitoring stack, then define the appropriate Flowspec rules.Need help activating Flowspec? Get in touch via our 24/7 support channels and our experts will be glad to assist.Set up GRE and benefit from Flowspec today

Tuning Gcore CDN rules for dynamic application data caching

Caching services like a CDN service can be a solid addition to your web stack. They lower response latency and improve user experience while also helping protect your origin servers through security features like access control lists (ACLs) and traffic filtering. However, if you’re running a highly dynamic web service, a misconfigured CDN might lead to the delivery of stale or, in the worst case, wrong data.If you’re hosting a dynamic web service and want to speed it up, this guide is for you. It explains the common issues dynamic services have with CDNs and how to solve them with Gcore CDN.How does dynamic data differ from static data?There are two main differences between static and dynamic data:Change frequency: Dynamic data changes more often than static data. Some websites stay the same for weeks or months; others change multiple times daily.Personalized responses: Static systems deliver the same response for a given URL path. Dynamic systems, by contrast, can generate different responses for each user, based on parameters like authentication, location, session data, or user preferences.Now, you might ask: Aren’t static websites simply HTML pages while dynamic ones are generated on-the-fly by application servers?It depends.A website consisting only of HTML pages might still be dynamic if the pages are changed frequently, and an application server that generates HTML responses can serve the same HTML forever and always provide everyone with the same content for a URL. The CDN network doesn’t know how you create the HTML. It only sees the finished product and decides how long it should cache it. You need to decide on a case-by-case basis.How do cache rules affect dynamic data?When using a CDN, you have to define rules that govern the caching of your data. If you consider this data dynamic, either because it changes frequently or because you deliver user-specific responses, those rules can drastically impact the user experience, ranging from the delivery of stale data to completely wrong data.Cache expirationFirst, consider cache expiration time. With Gcore CDN, you have two options:Let your origin server control it. This is ideal for dynamic systems using application servers because it gives you precise control without needing to adjust Gcore settings.Let Gcore CDN control it. This works well for static HTTP servers delivering HTML pages that change often. If you can’t modify the server’s cache configuration, using Gcore’s settings is easier.No matter which method you choose, understand what your users consider “stale” and set the expiration time accordingly.Query string handlingNext, decide how Gcore CDN should handle URL query parameters. Ignoring them can improve performance—but for dynamic systems that use query strings for server-side sorting, filtering, or pagination, this can break functionality.For example, a headless CMS might use: https://example.com/api/posts?sort=asc&start=99If the CDN ignores the query string, it will always deliver the cached response, even if new parameters are requested. So, make sure to disable the Ignore query string parameters setting when necessary.Cookie bypassingCookies are often used for session handling. While ignoring cookies can boost performance, doing so risks breaking applications that rely on them.For example: https://example.com/api/users/profileIf this endpoint relies on a session cookie, caching without considering the cookie will serve the same user profile to everyone. Be sure to disable “Ignore cookies” if your server uses them for authentication or personalization.Cache key customizationIf you need more detailed control over the caching, you can modify the cache key generation. This key defines the mapping of a request to a cache entry and allows you to manage the granularity of your caching.The Gcore Customer Portal offers basic customization functionality, and the support team can help with advanced rules. For example, adding the request method (e.g., GET, HEAD, POST, etc.) to your cache key ensures a single URL has a dedicated cache entry for each method instead of using one for all.GraphQL considerationsMost GraphQL implementations only use POST requests and include the GraphQL query in the request body. This means every GraphQL request will use the same URL and the same method, regardless of the query. Gcore CDN doesn’t check the request body when caching, so every query will result in the same cache key and override each other.To make sure the CDN doesn’t break your API, turn off caching for all your GraphQL endpoints.Path-based CDN rules for hybrid contentIf your application serves both static and dynamic content across different paths, Gcore CDN rules offer a powerful way to manage caching more granularly.Using the CDN rules engine, you can create specific rules for individual file paths or extensions. This allows you to apply dynamic-appropriate settings—like disabling caching or respecting cookies—only to dynamic endpoints (e.g., /api/**), while using more aggressive caching for static assets (e.g., /assets/**, /images/**, or /js/**).This path-level control delivers performance gains from CDN caching without compromising the correctness of dynamic content delivery.SummaryUsing a CDN is an easy way to improve your site’s performance, and even dynamic applications can benefit from CDN caching when configured correctly. Check that:Expiration times reflect real-world freshness needsQuery strings and cookies aren’t ignored if they affect the responseCache keys are customized where neededGraphQL endpoints are excluded from cachingCDN rules are used to apply different settings for dynamic and static pathsWith the right setup, you can safely speed up even the most complex applications.Explore our step-by-step guide to setting rules for particular files in Gcore CDN.Discover Gcore CDN

How AI is reshaping the future of interactive streaming

Interactive streaming is entering a new era. Artificial intelligence is changing how live content is created, delivered, and experienced. Advances in real-time avatars, voice synthesis, deepfake rendering, and ultra-low-latency delivery are giving rise to new formats and expectations.Viewers don’t want to be passive audiences anymore. They want to interact, influence, and participate. For platforms that want to lead, the stakes are growing: innovate now, or fall behind.At Gcore, we support this shift with global streaming infrastructure built to handle responsive, AI-driven content at scale. This article explores how real-time interactivity is evolving and how you can prepare for what’s next.A new era for live contentStreaming used to mean watching someone else perform. Today, it’s becoming a conversation between the creator and the viewer. AI tools are making live content more reactive and personalized. A cooking show host can take ingredient requests from the audience and generate live recipes. A language tutor can assess student pronunciation and adjust the lesson plan on the spot. These aren’t speculative use cases—they’re already being piloted.Traditional cameras and presenters are no longer required. Some creators now use entirely digital hosts, powered by motion capture and generative AI. They can stream with multiple personas, switch backgrounds on command, or pause for mid-session translations. This evolution is not about replacing humans but creating new ways to engage that scale across time zones, languages, and platforms.Creating virtual influencersVirtual influencers are digital characters designed to build audiences, promote products, and hold conversations with followers. Unlike human influencers, they don’t get tired, change jobs, or need extensive re-shoots when messaging changes. They’re fully programmable, and the most successful ones are backed by teams of writers, animators, and brand strategists.For example, a skincare company might launch a virtual influencer with a consistent tone, recognizable look, and 24/7 availability. This persona could host product tutorials in the morning, respond to DMs during the day, and livestream reactions to customer feedback at night—all in the local language of the audience.These characters are not limited to influencer marketing. A virtual celebrity might appear as a guest at a live product launch or provide commentary during a sports event. The point is consistency, scalability, and control. Gcore’s global delivery network ensures these digital personas perform without delay, wherever the audience is located.Real-time avatars and AI-generated personasReal-time avatars use motion capture and emotion detection to mimic human behavior with digital models. A fitness instructor can appear as a stylized avatar while tracking their own real movements. A virtual talk show host can gesture, smile, or pause in response to viewer comments. These avatars do more than just look the part—they respond dynamically.AI-generated personas build on this foundation with language generation and decision-making. For instance, an edtech company could deploy a digital tutor that asks learners comprehension questions and adapts its tone based on their engagement level. In entertainment, a music artist might perform live as a virtual character that reflects audience mood through color shifts, dance patterns, or facial expression.These experiences require ultra-low latency. If the avatar lags, the illusion collapses. Gcore’s infrastructure supports the real-time input-output loop needed to make digital characters feel present and responsive.Deepfake technology for creative storytellingDeepfakes are often associated with misinformation, but the same tools can be used to build engaging, high-integrity content. The technology enables face-swapping, voice cloning, and character animation, all of which are powerful in live formats.A museum might use deepfake avatars of historical figures for interactive educational sessions. Visitors could ask questions, and Abraham Lincoln or Golda Meir might respond with historically grounded answers in real time. A brand could create a fictional spokesperson who evolves over time, appearing in product demos, ads, and livestreams. Deepfake technology also allows multilingual content without re-recording—the speaker’s lip movements and tone are modified to match each language.These applications raise legitimate ethical questions. Gcore’s streaming infrastructure includes controls to ensure the source and integrity of AI-generated content are traceable and secure. We provide the technical foundation that enables deepfake use cases without compromising trust.Synthetic voices and personalized audioAudio is often overlooked in discussions about AI streaming, but it’s just as important as video. Synthetic voices today can express subtle emotions and match speaking styles. They can whisper, shout, pause for dramatic effect, and even mimic regional accents.Let’s consider a news platform that offers interactive daily briefings. Viewers choose their preferred language, delivery style (casual, serious, humorous), and even the voice profile. The AI generates a personalized broadcast on the fly. In gaming, synthetic characters can offer encouragement, warn about strategy mistakes, or narrate progress—all without human voice actors.Gcore’s streaming infrastructure ensures that synthetic voice outputs are tightly synchronized with video, so users don’t experience out-of-sync dialogue or lag during back-and-forth exchanges.Increasing interactivity through feedback and participationInteractivity in streaming now goes far beyond comments or emoji reactions. It includes live polls that influence story outcomes, branching narratives based on audience behavior, and user-generated content layered into the broadcast.For example, a live talent show might allow viewers to suggest challenges mid-broadcast. An online classroom could let students vote on the next topic. A product launch might include a real-time Q&A where the host pulls questions from chat and answers them in the moment.All of these use cases rely on real-time data processing, behavior tracking, and adaptive rendering. Gcore’s platform handles the underlying complexity so that creators can focus on building experiences, not infrastructure.Why low latency is criticalInteractive content only works if it feels immediate. A delay of even a second can break immersion, especially when users are trying to influence the outcome or receive a response. Low latency is essential for real-time gaming, sports, interviews, and educational formats.A live trivia game with hundreds of participants won’t retain users if there’s a lag between the question appearing and the timer starting. A remote surgery training session won’t work if the avatar’s responses trail behind the mentor’s instructions. In each of these cases, timing is everything.Gcore Video Streaming minimizes buffering, supports high-resolution streams, and synchronizes data flows to keep participants engaged. Our infrastructure is built to support high-throughput, globally distributed audiences with the responsiveness that interactive formats demand.Preparing for what’s nextAI-generated content is no longer a novelty. It’s becoming a standard feature of modern streaming strategies. Whether you’re building a platform that features virtual influencers, immersive avatars, or interactive educational streams, the foundation matters. That foundation is infrastructure.If you’re planning the next generation of live content, we’re ready to help you bring it to life. At Gcore, we provide the performance, scale, and security to launch these experiences with confidence. Our streaming solutions are designed to support real-time content generation, audience interaction, and global delivery without compromise.Want to see interactive streaming in action? Learn how fan.at used Gcore Video Streaming to deliver ultra-low-latency streams and boost fan engagement with real-time features.Read the case study

What are captions and subtitles, and how do they work?

Subtitles and captions are essential to consuming video content today. But how do they work behind the scenes?Creating subtitles and captions involves a five-step process to ensure that your video’s spoken and auditory content is accurately and effectively conveyed. The five steps are transcription, correction, synchronization/spotting, translation, and simulation/display on screen.The whole process is usually managed using specialized subtitle or caption creator software.In this blog, we explain the five steps in more detail, what the end user sees, and how to choose the right caption/subtitle service for your needs.Step 1: TranscriptionSpoken content is transformed into a text-based format. Formats are different ways to implement the textual elements, depending on technical needs.Transcription creates the raw materials that will be refined in stages 2–4.Step 2: CorrectionCorrection enhances readability by improving the textual flow. Punctuation, grammar, and sentence structure are adjusted so that the user’s reading experience is seamless and doesn’t detract from the content.Step 3: Synchronization/spottingNext, the text and audio are aligned precisely. Each caption or subtitle’s timing is adjusted so it appears and disappears at the correct moment.Step 4: TranslationTranslation is required for content intended for consumption in multiple languages. During this stage, it’s important to consider format requirements and character limitations. For example, a caption that fits on two lines in English might require three in Spanish, and so in Spanish, one caption becomes two. As a result, additional synchronization might be necessary.Step 5: Simulation/display on screenFinally, the captions or subtitles need to be integrated onto the end user’s screen. Formatting issues might arise at this stage, requiring tweaks for an optimal user experience.How does the end user see subtitles and captions?After the technical process of creating captions and subtitles, the next step is understanding how these elements appear to the end user. The type of captions you choose can greatly impact the user experience, especially when considering accessibility, engagement, and clarity. Below, we break down the different options available and how they serve different viewing scenarios.Open captions: These are always visible to viewers and are a fixed part of the video. They’re popular, for example, for video installations in museums and employee training videos—cases where maximum accessibility is the key consideration when it comes to captions and/or subtitles.Closed captions: Viewers can turn these on or off based on preference. For instance, an online course might offer this feature, allowing learners to choose how to consume the content. Students could opt temporarily to turn on closed captions to note the spelling of a new term introduced during the course.Real-time captions: These are great for live events like webinars, where the text appears almost simultaneously as the words are spoken. They keep the audience engaged in real time without missing out on crucial points. For example, ambient noise like chatter in a sports bar might obscure commentary on a live TV basketball game. Real-time captions allow viewers to benefit from near-live commentary regardless of the bar’s noise levels or if the TV’s sound is muted.Burned-in subtitles: These are etched onto the video and cannot be turned off. A promotional video targeting a multilingual audience might use this feature so that everyone understands the message, regardless of their language preference.What to look for in captioning and subtitling servicesTo deliver high-quality captions and subtitles, it's important to choose a provider that offers key features for accuracy, efficiency, and audience engagement.Original language transcription: Accurate documentation of every spoken word in your video for unrivaled accuracy.Tailored translation: Localized content that integrates translations with cultural relevance, increasing resonance with diverse audiences.Alignment synchronization: Time-annotated subtitles, matching words perfectly to the on-screen action.Automatic SRT file generation: A simplified subtitling and captioning process through effortless file creation for a better user experience.Transform your videos with cutting-edge captions and subtitles from GcoreNo matter your video content needs, it’s essential to be aware of the best type of captions and subtitles for your audience’s needs. Choosing the right format ensures a smoother viewing experience, better accessibility, and stronger engagement across every platform.Gcore Video Streaming offers subtitles and closed captions to enhance users’ experience. Each feature within the subtitling and captioning toolkit is crafted to expand your video content’s reach and impact, catering to a multitude of use cases. Embedding captions is quick and easy, and AI-automated speech recognition also saves you time and money.Try Gcore's automated subtitle and caption solution for free

Why captions and subtitles are essential for video engagement

From TikToks on silent commutes to training videos in noisy offices, silent viewing is now standard. Captions and subtitles aren’t just accessibility features anymore. They’re essential for user engagement, global reach, and video performance.This article explores why captions and subtitles matter and how they boost engagement with your videos, providing a better user experience for your audience. If you want to know how captions and subtitles work, we’ve got an article for that too.How subtitles and captions improve your video performanceSubtitles are now widely used across platforms and age groups. For many younger viewers, reading along while watching is second nature, especially on social media. For others, subtitles are a practical solution: watching videos in public spaces, scrolling during breaks, or learning on the go—all without needing sound.Captions offer tangible benefits across four key areas:Engagement and comprehension: Improve clarity in movies, boost understanding in online courses, and increase focus in business content.Accessibility and inclusion: Make content available to hard-of-hearing users and break language barriers for global audiences.SEO and discoverability: Search engines can crawl subtitle text, making your video content more findable, even when autoplayed without sound.Silent usability: Your content works in all environments, from crowded trains to quiet offices.Captions have shifted from niche to norm, helping creators reach more people, boost retention, and deliver clearer messages.Common challenges and their solutionsImplementing captions at scale poses three major challenges: cost, delay, and accuracy. Here's why these challenges exist and how Gcore Video Streaming can help you overcome them at the click of a button.CostInvesting in high-quality transcriptions can be a financial burden, especially for smaller players in online education. Specialized expertise is required for accurate educational content, and human oversight adds ongoing labor costs. Transcription is a recurring expense that grows with multiple languages or regulatory compliance.Gcore scalable AI-powered transcription services reduce reliance on costly manual processes, offering affordable, multi-language support with built-in compliance features, making transcription cost-effective for all budgets.Delay/latencyIn live events, even slight delays in captioning can disengage audiences. For example, in a Formula One race, missing real-time commentary on pit stops or track conditions can leave viewers confused or frustrated. Lagging captions fail to keep pace with the action, breaking immersion.Real-time AI ASR (automatic speech recognition) from Gcore minimizes captioning delay, so that live captions sync perfectly with events, keeping viewers fully engaged without lag.AccuracyA small text error in captions can distort the message and harm reputation. Errors in MOOCs or corporate webinars risk undermining credibility and discouraging future participation. Precision is critical to maintain trust and clarity.Gcore leverages advanced AI models fine-tuned for domain-specific vocabulary and includes automated quality checks, drastically reducing errors and preserving message integrity across all video content.Enhance your video content with Gcore AI-powered caption and subtitles toolsCaptions are now a strategic content layer, not just an accessibility checkbox. With video now the dominant format across marketing, education, and entertainment, it's critical to implement captions efficiently, affordably, and at scale.Gcore’s AI-powered Video Streaming lets you generate accurate, real-time captions across multiple languages with minimal developer effort. Built-in AI ASR (automatic speech recognition) means your captions stay synchronized even during fast-paced live events. Whether you’re running an LMS, hosting global events, or publishing OTT content, Gcore Video Streaming helps you scale captions with speed and precision.Request a demo of Gcore AI ASR

Subscribe to our newsletter

Get the latest industry trends, exclusive insights, and Gcore updates delivered straight to your inbox.