Supposing you have a form that collects and submits sensitive information and you want to ensure it is never accessed via insecure (non-HTTPS) means, how might you best go about enforcing that policy?
Take a look at this: http://www.dotnetmonster.com/Uwe/Forum.aspx/asp-net/75369/Enforcing-https
Edit: This shows solutions from an IIS point of view, but you should be able to configure about any web server for this.
In IIS? Go to security settings and hit "Require secure connection". Alternately, you can check the server variables in page load and redirect to the secure page.
If you're running Apache, you can put a RewriteRule
in your .htaccess
, like so:
RewriteCond %{HTTPS} "off"
RewriteRule /mypage.html https://example.com/mypage.html
I'd suggest looking at the request in the code that renders the form, and if it is not using SSL, issue a redirect to the https URL.
You could also use a rewite rule in Apache to redirect the user.
Or, you could just not serve up the page via HTTP, and keep it only in the document root of your HTTPS site.
I think the most bullet-proof solution is to keep the code inside your SSL document root only. This will ensure that you (or another developer in the future) can't accidentally link to a non-secure version of the form. If you have the form on both HTTP and HTTPS, you might not even notice if the wrong one gets used inadvertently.
If this isn't doable, then I would take at least two precautions. Do the Apache URL rewriting, and have a check in your code to make sure the session is encrypted - check the HTTP headers.