diff --git a/.gitignore b/.gitignore
index 5ba5619..28a8876 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 #Password files
 admin.passwd
 email.json
+admin.crt
+admin.key
 
diff --git a/README.md b/README.md
index 9b63e1f..3d905bf 100644
--- a/README.md
+++ b/README.md
@@ -186,6 +186,9 @@ portspoof-py [OPTIONS]
 | `--admin-port PORT` | disabled | Start the web admin interface on this port. |
 | `--admin-host HOST` | `127.0.0.1` | Address the admin interface binds to. Set to `0.0.0.0` to expose it on all interfaces (protect with a firewall). |
 | `--admin-passwd FILE` | `admin.passwd` | File containing `username:password` on a single line. Required when `--admin-port` is used. |
+| `--admin-ssl` | off | Serve the admin interface over HTTPS. |
+| `--admin-ssl-cert FILE` | `admin.crt` | TLS certificate PEM file. If the file does not exist it is auto-generated as a self-signed cert (requires `openssl` on PATH). |
+| `--admin-ssl-key FILE` | `admin.key` | TLS private key PEM file. Auto-generated alongside the cert if missing. |
 | `--email-config FILE` | `email.json` | JSON file where email alert settings are stored. Created automatically when you first save settings from the admin UI. |
 
 ---
@@ -354,6 +357,24 @@ echo "admin:changeme" > admin.passwd
 
 The file must contain a single line in `username:password` format. Pass a custom path with `--admin-passwd FILE`.
 
+### HTTPS / TLS
+
+Add `--admin-ssl` to serve the interface over HTTPS:
+
+```bash
+sudo python3 -m portspoof_py \
+    -p 4444 -s tools/portspoof_signatures \
+    --admin-port 8080 --admin-ssl
+```
+
+On first run, a self-signed certificate (`admin.crt` / `admin.key`) is generated automatically using `openssl`. Your browser will show an untrusted-certificate warning — add an exception or use a real cert.
+
+To use your own certificate:
+
+```bash
+--admin-ssl --admin-ssl-cert /etc/ssl/mycert.pem --admin-ssl-key /etc/ssl/mykey.pem
+```
+
 ### Dashboard — `GET /`
 
 A dark-themed HTML page that auto-refreshes every 5 seconds. Sections:
diff --git a/portspoof_py/__pycache__/admin.cpython-312.pyc b/portspoof_py/__pycache__/admin.cpython-312.pyc
index d724803..0c47301 100644
Binary files a/portspoof_py/__pycache__/admin.cpython-312.pyc and b/portspoof_py/__pycache__/admin.cpython-312.pyc differ
diff --git a/portspoof_py/__pycache__/cli.cpython-312.pyc b/portspoof_py/__pycache__/cli.cpython-312.pyc
index 154d524..7ad5df5 100644
Binary files a/portspoof_py/__pycache__/cli.cpython-312.pyc and b/portspoof_py/__pycache__/cli.cpython-312.pyc differ
diff --git a/portspoof_py/admin.py b/portspoof_py/admin.py
index dcdfc05..ee45083 100644
--- a/portspoof_py/admin.py
+++ b/portspoof_py/admin.py
@@ -13,6 +13,7 @@ import base64
 import hmac
 import html
 import json
+import ssl
 from pathlib import Path
 from typing import Optional, Tuple
 from urllib.parse import parse_qs, urlparse
@@ -680,8 +681,9 @@ async def run_admin(
     creds: Tuple[str, str],
     stop_event: asyncio.Event,
     notifier: Optional['Notifier'] = None,
+    ssl_context: Optional[ssl.SSLContext] = None,
 ) -> None:
-    """Start the admin HTTP server and run until stop_event is set."""
+    """Start the admin HTTP(S) server and run until stop_event is set."""
 
     def handler(r, w):
         asyncio.create_task(_handle(r, w, stats, cfg, creds, notifier))
@@ -691,10 +693,12 @@ async def run_admin(
         host=host or '127.0.0.1',
         port=port,
         reuse_address=True,
+        ssl=ssl_context,
     )
 
-    addrs = ', '.join(str(s.getsockname()) for s in server.sockets)
-    print(f'[admin] web interface → http://{addrs}')
+    scheme = 'https' if ssl_context else 'http'
+    host_str = host or '127.0.0.1'
+    print(f'[admin] web interface → {scheme}://{host_str}:{port}')
 
     async with server:
         await stop_event.wait()
diff --git a/portspoof_py/cli.py b/portspoof_py/cli.py
index a65cd9e..25e56d1 100644
--- a/portspoof_py/cli.py
+++ b/portspoof_py/cli.py
@@ -4,6 +4,8 @@ CLI entry point — argument parsing, signal handling, startup/shutdown.
 import argparse
 import asyncio
 import signal
+import ssl
+import subprocess
 import sys
 from typing import Optional
 
@@ -46,9 +48,49 @@ def _parse_args(argv=None):
                         '(default: admin.passwd)')
     p.add_argument('--email-config', default='email.json', metavar='FILE',
                    help='JSON file for email alert config (default: email.json)')
+    p.add_argument('--admin-ssl',    action='store_true',
+                   help='Serve the admin interface over HTTPS')
+    p.add_argument('--admin-ssl-cert', default='admin.crt', metavar='FILE',
+                   help='TLS certificate PEM file (default: admin.crt). '
+                        'Auto-generated self-signed cert if the file does not exist.')
+    p.add_argument('--admin-ssl-key',  default='admin.key', metavar='FILE',
+                   help='TLS private key PEM file (default: admin.key). '
+                        'Auto-generated alongside the cert if it does not exist.')
     return p.parse_args(argv)
 
 
+def _ensure_ssl_cert(cert_file: str, key_file: str) -> None:
+    """Generate a self-signed cert+key with openssl if they don't already exist."""
+    from pathlib import Path as _Path
+    if _Path(cert_file).exists() and _Path(key_file).exists():
+        return
+    print(f'[admin] generating self-signed TLS cert ({cert_file}, {key_file}) …')
+    try:
+        subprocess.run(
+            [
+                'openssl', 'req', '-x509', '-newkey', 'rsa:2048',
+                '-keyout', key_file, '-out', cert_file,
+                '-days', '3650', '-nodes',
+                '-subj', '/CN=portspoof-admin',
+            ],
+            check=True,
+            capture_output=True,
+        )
+    except FileNotFoundError:
+        print('ERROR: openssl not found — install it or supply --admin-ssl-cert / --admin-ssl-key',
+              file=sys.stderr)
+        raise
+    except subprocess.CalledProcessError as exc:
+        print(f'ERROR: openssl failed: {exc.stderr.decode()}', file=sys.stderr)
+        raise
+
+
+def _build_ssl_context(cert_file: str, key_file: str) -> ssl.SSLContext:
+    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    ctx.load_cert_chain(certfile=cert_file, keyfile=key_file)
+    return ctx
+
+
 def main(argv=None) -> int:
     args = _parse_args(argv)
 
@@ -92,6 +134,19 @@ def main(argv=None) -> int:
             )
             return 1
 
+    # SSL context for admin interface
+    ssl_context: Optional[ssl.SSLContext] = None
+    if args.admin_ssl:
+        if not args.admin_port:
+            print('ERROR: --admin-ssl requires --admin-port', file=sys.stderr)
+            return 1
+        try:
+            _ensure_ssl_cert(args.admin_ssl_cert, args.admin_ssl_key)
+            ssl_context = _build_ssl_context(args.admin_ssl_cert, args.admin_ssl_key)
+            print(f'[admin] TLS enabled (cert={args.admin_ssl_cert})')
+        except Exception:
+            return 1
+
     notifier: Notifier = Notifier(args.email_config)
     print(f'[portspoof] email config: {args.email_config}')
 
@@ -121,7 +176,7 @@ def main(argv=None) -> int:
             if args.admin_port:
                 tasks.append(asyncio.create_task(
                     run_admin(stats, cfg, args.admin_host, args.admin_port, creds, stop_event,
-                              notifier=notifier)
+                              notifier=notifier, ssl_context=ssl_context)
                 ))
             await asyncio.gather(*tasks)
         finally: