在您网站的每个页面上使用SSL有多重要? [英] How important is it to use SSL on every page of your website?
问题描述
最近,我在我正在工作的网站上安装了一个证书.我已使该网站尽可能多地使用HTTP,但是登录后,它必须保留在HTTPS中,以防止会话劫持,不是吗?
Recently I installed a certificate on the website I'm working on. I've made as much of the site as possible work with HTTP, but after you log in, it has to remain in HTTPS to prevent session hi-jacking, doesn't it?
不幸的是,这会导致Google Maps出现一些问题;我在IE中收到警告,说此页面包含不安全的内容".我认为我们现在无法负担得起Google Maps Premier的安全服务.
Unfortunately, this causes some problems with Google Maps; I get warnings in IE saying "this page contains insecure content". I don't think we can afford Google Maps Premier right now to get their secure service.
这是一个拍卖网站,因此,对某些黑客入侵他们的帐户,使人们不用为自己未购买的东西而收费是非常重要的.不过,所有付款都是通过PayPal完成的,因此,我不会保存任何种类的信用卡信息,但会保留个人联系信息.如果涉及到欺诈性收费,则可以很容易地将其撤销.
It's sort of an auction site so it's fairly important that people don't get charged for things they didn't purchase because some hacker got into their account. All payments are done through PayPal though, so I'm not saving any sort of credit card info, but I am keeping personal contact information. Fraudulent charges could be reversed fairly easily if it ever came to that.
你们建议我做什么?我是否应该从HTTPS中删除大部分站点,而只是保护某些页面,例如您在何处输入密码,仅此而已?这就是我们的竞争者似乎要做的.
What do you guys suggest I do? Should I take the bulk of the site off HTTPS and just secure certain pages like where ever you enter your password, and that's it? That's what our competition seems to do.
推荐答案
我会从HTTPS中删除大部分站点,当然有一些例外情况:
I would take the bulk of the site off HTTPS with some exceptions of course:
- 任何结帐或帐户编辑屏幕.
- 任何显示敏感"信息的屏幕.
要处理会话劫持问题,我将添加另一层身份验证,在其中您在结帐时或每当他们尝试查看/更新帐户信息时再次提示他们输入用户名和密码-基本上是从http过渡到https.
To deal with the session hijacking issue, I would add another layer of authentication where you prompt them for their username and password again at checkout or whenever they try to view/update account information - basicly whenever you make a transition from http to https.
这篇关于在您网站的每个页面上使用SSL有多重要?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
