Reputation: 1965
Is it OK to design and test a secure web app without SSL?
I need to build a small web app that will ultimately need to be launched via SSL.
My question is, can I design and test it as if it was an ordinary application and only later add whatever is necessary to make it secure ? Or I have to test it over SSL right from the start.
Upvotes: 4
Views: 341
Answers (5)
Reputation: 31852
My question is, can I design and test it as if it was an ordinary application and only later add whatever is necessary to make it secure ? Or I have to test it over SSL right from the start.
If by whatever is necessary to make it secure you mean enable ssl then sure, go for it. But if making it secure requires other things such as authentication, authorization, role-based access and what-not, then no. The conventional wisdom is to include security at all phases of development because you can't just "switch it on" at the end. Most of the issues in implementing a secure system with a rich set of access controls won't occur to you unless you are actually testing the core functionality while restricted by those controls and also have the opportunity to test both the "happy path" and the "unhappy path" through the code.
Upvotes: 3
Reputation: 15609
Proxy all your requests through a non-https resource on your domain specially if you are using ajax calls. I ran into an issue (make AJAX calls from non-SSL page to a SSL URL) a while back.
Upvotes: 2
Reputation:
You can test with non-SSL, but there are a few things to watch out for. If you're loading images or components (like a CAPTCHA, for example) off third-party sites, you'll want to make sure you can call them over SSL. Sometimes a tracking pixel for web analytics software can cause pain here too.
Upvotes: 4
Reputation: 13471
Besides http url's watch out for port numbers your https traffic will not be on port 80.
Upvotes: 2
Reputation: 18252
You'll be fine waiting on the SSL while you develop your app. Be careful not to hard-code any http:// urls, and I don't think you'll run into any problems for the bulk of your development. Just make sure you do plenty of testing after making the switch to the SSL before going live.
Upvotes: 4
Related Questions
- is use SSL only on server side safe?
- SSL for statically served web application
- do i need ssl on my web application?
- Is it easy to apply SSL to an already built website?
- Do I need to use SSL on a web page if the web service already uses it?
- Application design using HTTP and HTTPS together
- Using SSL For Existing Web application-Sharepoint
- Is it mandatory to use SSL?
- HTTPS instead of HTTP?
- Secure authentication without SSL