php,如何安全地发送表单数据?
我有一个网站,有一个简单的登录表单。
该表单发布到 login.php
内的 login.php 我检查用户名和密码并重定向到特定页面。
一切都很好,直到我遇到保安。从 PCI 合规性我得到这个:
所有包含敏感信息的 Web 应用程序通信均应使用 SSL/TLS (HTTPS) 进行传输。如果使用从 HTTP 到 HTTPS 的重定向来尝试修复此问题,请确保此类重定向发生在系统的服务器端(例如通过使用 HTTP“Location”标头元素),并且重定向不依赖于客户端(浏览器)端。
然后我进入 login.php 并在顶部添加了以下代码:
if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
}
如果我在更改后尝试登录,登录过程似乎会顺利进行,但我不确定这是否解决了问题。
注释:
我无法将网站设置为:https://www.website.com,因为这会引发安全警告。不过我确实有有效的证书。
我有什么想法可以解决这个问题吗?
谢谢
编辑:
安全警告是关于访问不安全的网站,红色矩形询问我是否确定要访问该网站,如果我将
证书添加到例外列表下,我可以将其添加到例外列表中,此警报只发生一次
i have a website that has a simple login form.
the form posts to login.php
inside login.php i check for username and password and redirect to a specific page.
All is good until i come across security. From PCI compliance i get this:
All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such re-direction occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that re-direction is not reliant upon the client (browser) side.
then i went into login.php and added this code at the top:
if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
}
If i try to login after this change the login process seems to go through fine, except im not sure that this solved the problem.
notes:
i cant set the website to be: https://www.website.com because this will throw a security warning. I do have a valid certificate though.
any ideas how can i fix this issue?
thanks
edit:
the security warning is about accessing an insecure website, the red rectangle asking me if im sure i want to go to this website and i can add it to the exceptions list
if i add the certificate under m the exception list, this alert happens only once
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您的证书可能有效,但浏览器不认为它是安全的。您需要找出浏览器为什么说它无效。通常它是由公司使用浏览器无法识别的根证书生成的。您可能需要切换证书以消除“红色矩形”。
Your certificate may be valid, but it's not recognized by the browser as safe. You need to find out why the browser is saying it's not valid. Usually it's either been generated by a company using a root certificate that the browser doesn't recognize. You may need to switch certificates to get rid of the "red rectangle."
您确定您的页面不包含通过 http 传输的内容,例如 jpg 或嵌入对象。您可以告诉浏览器对页面使用 https,但如果页面调用 jpg 或其他脚本或其他内容,您可以使用 http 来调用它们。然后,浏览器认为该页面具有安全和不安全的对象,这可能是一个问题。
Are you sure your pages aren't including something via http transport, like a jpg or embedded object. You can tell the browser to use https for the page but if the page calls jpgs or other scripts or something, you're able to call those with http. The browser then thinks the page has secure and insecure objects and that can be an issue.