Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
If I have a domain: https://somedomain.example with a valid SSL certificate do I have to take any other precautions to encrypt data between clients and my server, or is my only concern now to protect data on the server via some AES encryption in my MySQL database.
Essentially, do I leave all of the security between client and server down to SSL, is that how Facebook and Google do it for instance?
Simply using SSL will handle all the encryption so the data will be protected in transit.
Authentication, authorisation and defences against XSS and CSRF need handling separately. (Although you can use SSL client certs for authentication).
XSS is something to watch out for in particular, if an attacker can inject JS into the page, then it can access the data in the browser where (unlike when it is in transit) it isn’t encrypted.