0





66
1

Supposing you have a form that collects and submits sensitive information and you want to ensure it is never accessed via insecure (non-HTTPS) means, how might you best go about enforcing that policy?

Question author Teflon-ted | Source

0


1

I think the most bullet-proof solution is to keep the code inside your SSL document root only. This will ensure that you (or another developer in the future) can't accidentally link to a non-secure version of the form. If you have the form on both HTTP and HTTPS, you might not even notice if the wrong one gets used inadvertently.

If this isn't doable, then I would take at least two precautions. Do the Apache URL rewriting, and have a check in your code to make sure the session is encrypted - check the HTTP headers.

Answer author Eugene

Ask about this question here!