I have a certificate installed on my web server. If I just want one page to be accessed through ssl, what do I need to mark up on the page, or is another setting somewhere else?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a certificate installed on my web server. If I just want one page to be accessed through ssl, what do I need to mark up on the page, or is another setting somewhere else?
In short, the only reliable way is to link to it using an
https://URL only. Ideally, you should make sure that your users expect HTTPS to be used, and that they will check that it’s used properly (i.e. they won’t ignore browser warnings).Anything that’s enforced on the server after a plain HTTP request is potentially vulnerable to MITM attacks. This include redirect methods via
mod_rewrite, PHP headers (Locationheaders), JavaScript (extractingwindow.location), …, and of course, the initial delivery of thehttps://link itself, if it’s obtained from a page served over plain HTTP. Even a denial of access due to something likeSSLRequireSSLis only effective after a plain HTTP request has been received.It’s not a bad idea to use these redirection techniques, if only to get your users used to the fact they’re using HTTPS (they may notice something odd if on another occasion they’re not, which would possibly indicate a MITM attack), and they should at least protect them against passive eavesdropping attacks.
More generally, even if you are serving
http://www.example.comandhttps://www.example.comwith the same host name (and possibly the same server software), they are technically two distinct hosts (e.g. virtual hosts in the Apache Httpd terminology) and resources hosted on one need not be hosted on the other. Simply don’t server the pages you only want via HTTPS on your plain HTTP host. I’d also suggest not to use redirects (at least during the development phase), so that it breaks when you’re not linking to those pages using HTTPS: this will help detect potential mixed-content problems. The automatic redirects are mainly useful for users who type in the address directly into their browsers.You could consider getting your site in the pre-loaded HTTP Strict Transport Security lists (or at least use HSTS, which would make the browser remember to use HTTPS only after it has worked at least once), but this will apply to the entire host.
You can find more details in these answers, on Security.SE and on Webmasters.SE.