Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is HTTPS as the form's action enough?

Is HTTPS as the (HTML) form's action enough for the form data to be SSL encrypted for submission?

Or does the page that hosts the form have to be HTTPS as well?

like image 689
Dougal Avatar asked Jan 11 '11 23:01

Dougal


People also ask

What should I put in form action?

The action attribute specifies where to send the form-data when a form is submitted.

What is form method post action?

The method attribute specifies how to send form-data (the form-data is sent to the page specified in the action attribute). The form-data can be sent as URL variables (with method="get" ) or as HTTP post transaction (with method="post" ). Notes on GET: Appends form-data into the URL in name/value pairs.

What is Action_page PHP in HTML?

The action attribute defines the action to be performed when the form is submitted. Usually, the form data is sent to a file on the server when the user clicks on the submit button. In the example below, the form data is sent to a file called "action_page.php".

What is the use of action in HTML?

The HTML | action Attribute is used to specify where the formdata is to be sent to the server after submission of the form. It can be used in the <form> element. Attribute Values: URL: It is used to specify the URL of the document where the data to be sent after the submission of the form.


2 Answers

If the page the form is hosted on is not served over HTTPS, then it can be intercepted and modified en route. These modifications can include such things as changing the action of the form, or adding JavaScript to send the data to a third party before submitting the form as normal.

Submitting the form over HTTPS is not sufficient to protect the data. The form needs to be delivered that way too.

like image 157
Quentin Avatar answered Oct 17 '22 11:10

Quentin


HTTPS on the form's action is sufficient to encrypt the form submission.

The page that hosts the form doesn't have to HTTPS, although it helps to give the users confidence that their data is secure.

The other benefit of securing the hosting page is that the form can't be spoofed or altered by a man-in-the-middle.

like image 4
Andrew Cooper Avatar answered Oct 17 '22 11:10

Andrew Cooper