I am currently developing an MVC4 web application for eCommerce. The site will contain a login and users can visit the site, input their details and submit orders etc. This is a traditional eCommerce site.
To boost the security of the site, I am looking to set up the entire site in https. As the user will be supplying their log in credentials and storing personal information in cookies, I would like the site to be fully secured.
I have concerns though, these being if I set up the site in https, will it detriment performance? Will it impact negatively on search engine optimization? Are there any other implications of having an entire site in https?
I use output caching to cache the content of my views – with https will these still get cached?
I have been reviewing security guidelines and documentation, such as this from OWASP and they recommend this. Also, I see that sites such as twitter are fully https.
Generally speaking, no – whole-site encryption is not a problem for performance.
(Just make sure you disable SSL 2.0 on your server, as it’s vulnerable to the BEAST attack; you should use TLS 1.0 or SSL3.0 which have been supported by pretty much every browser since 2000).
The performance issues were a problem years ago, but not anymore. Modern servers have the capacity to deal with the encryption of hundreds of requests and responses every second.
You haven’t mentioned deploying a load-balancer or failover system, which implies your site won’t be subject to thousands of pageviews every second. That’s when you need to start using SSL offloaders – but you’re okay for now.
Output caching is not affected by encryption – just make sure you’re not serving one person’s output to another (i.e. cache a shopping cart or banking details in
Sessionor with the Session ID in theCachekey).