HTTPS is HTTP with a layer of encryption added. It is the protocol your browser uses to load a website, but with the connection scrambled so that nobody sitting between you and the server can read or change what is sent. That little padlock in the address bar is HTTPS doing its job.
Think of sending a postcard versus a sealed letter. Plain HTTP is the postcard: every mail handler along the way can read it. HTTPS is the sealed envelope, and only the website you are talking to holds the key to open it. The lock is provided by an SSL certificate, and the actual scrambling is handled by TLS, the modern protocol that replaced the older SSL.
This matters for more than passwords. Login forms, search queries, the contents of a checkout, even which pages someone visits are all exposed over plain HTTP. With HTTPS that traffic is protected, which is exactly why browsers warn visitors away from unencrypted sites and why search engines treat it as a ranking signal.
There is a tampering angle too, not just eavesdropping. On a plain connection a café WiFi or a dodgy network can quietly inject ads or rewrite a download link. HTTPS blocks that, because any change to the traffic breaks the cryptographic seal and the browser refuses to load it. Under the hood, every connection opens with a short handshake where the browser and server agree on a key and the certificate confirms the server really is who it claims. The other practical step is forcing the secure version with HSTS, so a visitor never lands on the HTTP page by accident.
At TopDevs we ship every site and API over HTTPS by default, with certificates that renew on their own so the lock never quietly expires.