Since most websites implement Hypertext Transport Protocol Secure (HTTPS), it is beneficial to know how to enable Burp to communicate with such sites. HTTPS is an encrypted tunnel running over Hypertext Transport Protocol (HTTP).

The purpose of HTTPS is to encrypt traffic between the client browser and the web application to prevent eavesdropping. However, as testers, we wish to allow Burp to eavesdrop, since that is the point of using an intercepting proxy. Burp provides a root, Certificate Authority (CA) signed certificate. This certificate can be used to establish trust between Burp and the target web application.

By default, Burp's Proxy can generate a per-target CA certificate when establishing an encrypted handshake with a target running over HTTPS. That takes care of the Burp-to-web-application portion of the tunnel. We also need to address the Browser-to-Burp portion.

In order to create a complete HTTPS tunnel connection between the client browser, Burp, and the target application, the client will need to trust the PortSwigger certificate as a trusted authority within the browser.