Reputation: 1067
Is HTTPS as the form's action enough?
Is HTTPS as the (HTML) form's action enough for the form data to be SSL encrypted for submission?
Or does the page that hosts the form have to be HTTPS as well?
Upvotes: 10
Views: 6407
Answers (3)
Reputation: 943510
If the page the form is hosted on is not served over HTTPS, then it can be intercepted and modified en route. These modifications can include such things as changing the action of the form, or adding JavaScript to send the data to a third party before submitting the form as normal.
Submitting the form over HTTPS is not sufficient to protect the data. The form needs to be delivered that way too.
Upvotes: 11
Reputation: 73936
It is enough if all you want to do is wave the magical encryption fairy dust around. It's not enough if you want to actually be secure. Any man-in-the-middle attack could simply rewrite the form HTML to post to a malicious server.
Upvotes: 2
Reputation: 32576
HTTPS on the form's action is sufficient to encrypt the form submission.
The page that hosts the form doesn't have to HTTPS, although it helps to give the users confidence that their data is secure.
The other benefit of securing the hosting page is that the form can't be spoofed or altered by a man-in-the-middle.
Upvotes: 4
Related Questions
- Is it secure to submit from a HTTP form to HTTPS?
- How to safely submit a form over HTTPS?
- Form Post HTTPS
- A HTTP Secure form on a static HTTP-only website - how secure are the submissions?
- Is my form secure?
- Submitting a form to a secure url from a non-secure page
- Https to http page - is the submitted information being passed securely?
- form submit in a non secure page
- Is info still encrypted if I use a <form action="https"> from a regular http page?
- Is https retained on relative form action URLs?