将 http 表单帖子解析为 https 表单帖子
有没有办法强制非安全表单帖子安全?我知道有一些方法可以自动将 http URL 解析为 https URL,但是对于表单帖子,这种类型的重定向是否太晚了?发布的数据是否已经以纯文本形式通过网络传输?
Is there a way to force a non-secure form post to be secure? I understand there are ways to automatically resolve an http URL as an https URL but with form posts, is this type of redirection too late? Will the posted data have already gone through the wire as plain text?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
从技术上来说,不。不过,您可以将表单的
action
属性设置为完全限定的 HTTPS 站点,无论呈现它的协议是否安全。是的,因为通过在响应中发出 301/302 状态代码在服务器上发生重定向。
Technically, no. You can however make the form's
action
attribute a fully-qualified HTTPS site, regardless if the protocol that rendered it is secured or not.Yes since a redirect happens on the server by issuing a 301/302 status code in the response.
一般来说,提供表单的页面也应该是 https。如果不是,则用户在提交表单之前不会收到任何指示该表单是安全的(也就是说,在提交之前之后不会出现“锁定”图标)。此外,攻击者可以劫持初始页面并仍然收集响应,而不向用户发出任何警告。
通过将“操作”设置为完全限定的 https URL,数据在发送到服务器时将被加密,但它仍然不如从一开始就在 https 中执行整个操作安全。
Generally speaking, the page that serves up the form should be https as well. If it is not, then users have no indication before they submit the form that it will be secure (that is, there'll be no 'lock' icon until after they submit). Also, an attacker could hijack the initial page and still collect responses without any warning to the users.
By setting the 'action' to a full-qualified https URL then the data will be encrypted when it goes to the server, but it is still less secure than doing the whole thing in https from the start.
以下是我想到的一些事情:
正如已经指出的,您可以将表单操作的 URL 设置为 HTTPS 地址。
在页面发布之前将协议从 HTTP 更改为 HTTPS。这似乎是最理想的。在输入任何信息之前(如果这很重要的话),它还可以让您的访客通过看到安全的挂锁来获得更大的安全感。我想到了三种方法:
javascript 中的一个例子非常简单:
祝你好运!
Here are a few things that come to mind:
As has already been noted, you can just set the URL of the form's action to an HTTPS address.
Change the protocol from HTTP to HTTPS before the page is posted. This would seem to be the most ideal. It also gives your visitors greater sense of security by seeing the secured padlock before entering any info (if this even matters). Three ways to do this come to mind:
An example of this in javascript is simple enough:
Good luck!