Your Identity Cloud instance can be accessed via HTTPS only.
There is a plain HTTP endpoint, but its sole purpose is to ensure incoming requests are redirected to HTTPS.
Strict Transport Security (HSTS) is applied on responses to prevent a downgrade of the connection to plain HTTP and man-in-the-middle attacks. HSTS has a long duration (182 days).
Browsers and technical clients must use Transport Layer Security (TLS) version 1.2. Version 1.3 is not yet supported.
The supported ciphers are:
Browsers and technical clients also need to support server name indication (SNI).
Your Identity Cloud instance has its own server key and certificate.
The server key is 2048 bits.
The server certificate has a short expiration and is renewed periodically.