Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This should be a quick one… here is my current .htaccess file:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
What I need to do is make sure that if http://www.mydomain.com/cart/ is reached, it needs to force HTTPS … so /cart/ and anything within /cart/
Once the request has been sent to
http://www.mydomain.com/cart/, if there is any sensitive data in the request, it’s too late. Force it to break! At least, it will give you an indication that there’s something wrong with your links. More details in previous answers:EDIT: (Example)
Let’s say you have
http://example.com/, the non-secure section of your site that allows the user to browse items. They’re not logged in at that stage, so it’s fine to do it over plain HTTP.Now, it’s cart/payment time. You want HTTPS. You send the user to
https://example.com/cart/. If one of the links that sends the user to the cart part is using plain HTTP (i.e.http://example.com/cart/), it’s a development mistake. It just shouldn’t be there. Making the process break when you thought you were going to be sent tohttps://example.com/cart/allows the developer to see it (and, once fixed, the user should never have the problem).If it’s just about the point to the HTTPS section of your site (typically, an HTTP GET via a link somewhere), it’s not necessarily that big a risk.
Where automatic redirects become even more dangerous is when they hide bigger problems.
For example, you’re on
https://example.com/cart/creditcarddetailsand you’ve filled in some information that should really just stay over SSL. However, the developer has made a mistake and a plainhttp://link is used in the form. In addition, the developer (a user/human after all) has clicked on “don’t show me this message again” in Firefox when it says “Warning: you’re going from a secure page to a non-secure page” (by the way, unfortunately, Firefox warns a posteriori: it has already made the insecure request by the time it shows the user that message). Now, that GET/POST request with sensitive data is sent first to that incorrect plainhttp://link and the automatic rewrites tells the browser to try the request again overhttps://. It looks fine because, as far as the user is concerned, this all happened in a fraction of a second. However, it’s not: sensitive data was sent in clear.Making the plain HTTP section of what should only be over HTTPS not do anything useful actually helps you see what’s wrong more clearly. Since the users should never end up there anyway if the links are correctly implemented, this isn’t really an issue for them.