将 http 表单帖子解析为 https 表单帖子

发布于 2024-09-04 13:20:46 字数 106 浏览 1 评论 0原文

有没有办法强制非安全表单帖子安全?我知道有一些方法可以自动将 http URL 解析为 https URL,但是对于表单帖子,这种类型的重定向是否太晚了?发布的数据是否已经以纯文本形式通过网络传输?

Is there a way to force a non-secure form post to be secure? I understand there are ways to automatically resolve an http URL as an https URL but with form posts, is this type of redirection too late? Will the posted data have already gone through the wire as plain text?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

梅倚清风 2024-09-11 13:20:46

有没有办法强制非安全表单帖子安全?

从技术上来说,不。不过,您可以将表单的 action 属性设置为完全限定的 HTTPS 站点,无论呈现它的协议是否安全。

发布的数据是否已经以纯文本形式通过网络传输?

是的,因为通过在响应中发出 301/302 状态代码在服务器上发生重定向。

Is there a way to force a non-secure form post to be secure?

Technically, no. You can however make the form's action attribute a fully-qualified HTTPS site, regardless if the protocol that rendered it is secured or not.

Will the posted data have already gone through the wire as plain text?

Yes since a redirect happens on the server by issuing a 301/302 status code in the response.

北音执念 2024-09-11 13:20:46

一般来说,提供表单的页面也应该是 https。如果不是,则用户在提交表单之前不会收到任何指示该表单是安全的(也就是说,在提交之前之后不会出现“锁定”图标)。此外,攻击者可以劫持初始页面并仍然收集响应,而不向用户发出任何警告。

通过将“操作”设置为完全限定的 https URL,数据在发送到服务器时将被加密,但它仍然不如从一开始就在 https 中执行整个操作安全。

Generally speaking, the page that serves up the form should be https as well. If it is not, then users have no indication before they submit the form that it will be secure (that is, there'll be no 'lock' icon until after they submit). Also, an attacker could hijack the initial page and still collect responses without any warning to the users.

By setting the 'action' to a full-qualified https URL then the data will be encrypted when it goes to the server, but it is still less secure than doing the whole thing in https from the start.

别理我 2024-09-11 13:20:46

以下是我想到的一些事情:

  1. 正如已经指出的,您可以将表单操作的 URL 设置为 HTTPS 地址。

  2. 在页面发布之前将协议从 HTTP 更改为 HTTPS。这似乎是最理想的。在输入任何信息之前(如果这很重要的话),它还可以让您的访客通过看到安全的挂锁来获得更大的安全感。我想到了三种方法:

    • 将指向表单页面的所有链接更改为 HTTPS。
    • 检测页面何时被非安全浏览,并重定向(使用客户端脚本)
    • 通过发送 Location 标头(又名 Response.Redirect),在服务器上执行相同的操作。

javascript 中的一个例子非常简单:

if ('https:' != window.location.protocol) {
    // This assumes your secured domain is the same as the currently-browsed one...
    window.location = String(window.location).replace(/^http:\/\//, 'https://');  
}

祝你好运!

Here are a few things that come to mind:

  1. As has already been noted, you can just set the URL of the form's action to an HTTPS address.

  2. Change the protocol from HTTP to HTTPS before the page is posted. This would seem to be the most ideal. It also gives your visitors greater sense of security by seeing the secured padlock before entering any info (if this even matters). Three ways to do this come to mind:

    • Change all links to your form page to be in HTTPS.
    • Detect when the page is browsed non-securely, and redirect (using client-side scripting)
    • Do the same thing but on the server, by sending a Location header (a.k.a. Response.Redirect).

An example of this in javascript is simple enough:

if ('https:' != window.location.protocol) {
    // This assumes your secured domain is the same as the currently-browsed one...
    window.location = String(window.location).replace(/^http:\/\//, 'https://');  
}

Good luck!

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文