将http表单帖子解析为https表单帖子
[英]Resolve http form post as https form post
问题描述
Is there a way to force a non-secure form post to be secure? 
有没有一种方法可以强制将不安全的表格发布安全化? I understand there are ways to automatically resolve an http URL as an https URL but with form posts, is this type of redirection too late? 我知道有几种方法可以自动将http URL解析为https URL,但是具有表单发布,这种重定向类型为时已晚吗? Will the posted data have already gone through the wire as plain text? 发布的数据是否已经以纯文本格式通过网络?
3 个解决方案
解决方案1
0 已采纳 2010-06-03 04:12:34
Is there a way to force a non-secure form post to be secure?
Technically, no. 从技术上讲,没有。 You can however make the form's action attribute a fully-qualified HTTPS site, regardless if the protocol that rendered it is secured or not. 但是,您可以使表单的action属性成为完全合格的HTTPS站点,而不管提供该表单的协议是否受保护。
Will the posted data have already gone through the wire as plain text?
Yes since a redirect happens on the server by issuing a 301/302 status code in the response. 是的,因为重定向是通过在响应中发出301/302状态代码在服务器上发生的。
解决方案2
0 2010-06-03 04:25:43
Generally speaking, the page that serves up the form should be https as well. 一般来说, 提供表单的页面也应为https。 If it is not, then users have no indication before they submit the form that it will be secure (that is, there'll be no 'lock' icon until after they submit). 如果不是这样,则用户在提交表单之前将没有任何指示,表明表单将是安全的(也就是说,直到提交后 ,才会显示“锁定”图标)。 Also, an attacker could hijack the initial page and still collect responses without any warning to the users. 此外,攻击者可能会劫持初始页面,并且仍然收集响应而不会向用户发出任何警告。
By setting the 'action' to a full-qualified https URL then the data will be encrypted when it goes to the server, but it is still less secure than doing the whole thing in https from the start. 通过将“操作”设置为标准的https URL,则数据将在进入服务器时进行加密,但与从一开始就在https中进行全部操作相比,它的安全性仍然较低。
解决方案3
0 2010-06-03 05:01:22
Here are a few things that come to mind: 这是我想到的几件事:
As has already been noted, you can just set the URL of the form's action to an HTTPS address.
如前所述,您可以将表单操作的URL设置为HTTPS地址。 Change the protocol from HTTP to HTTPS before the page is posted.
在发布页面之前 ,将协议从HTTP更改为HTTPS。 This would seem to be the most ideal. 这似乎是最理想的。 It also gives your visitors greater sense of security by seeing the secured padlock before entering any info (if this even matters). 通过在输入任何信息之前查看安全的挂锁,这也使您的访客更加安全。 Three ways to do this come to mind: 我想到了三种方法: - Change all links to your form page to be in HTTPS. 将所有链接更改为使用HTTPS的表单页面。
- Detect when the page is browsed non-securely, and redirect (using client-side scripting) 检测何时非安全地浏览页面,并重定向(使用客户端脚本)
- Do the same thing but on the server, by sending a Location header (aka Response.Redirect). 通过发送位置标头(也称为Response.Redirect),在服务器上执行相同的操作。
- Change all links to your form page to be in HTTPS.
An example of this in javascript is simple enough: javascript中的一个例子很简单:
if ('https:' != window.location.protocol) {
// This assumes your secured domain is the same as the currently-browsed one...
window.location = String(window.location).replace(/^http:\/\//, 'https://');
}
Good luck! 祝好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.