Is HTTPS as the (HTML) form's action enough for the form data to be SSL encrypted for submission?
Or does the page that hosts the form have to be HTTPS as well?
The action attribute specifies where to send the form-data when a form is submitted.
The method attribute specifies how to send form-data (the form-data is sent to the page specified in the action attribute). The form-data can be sent as URL variables (with method="get" ) or as HTTP post transaction (with method="post" ). Notes on GET: Appends form-data into the URL in name/value pairs.
The action attribute defines the action to be performed when the form is submitted. Usually, the form data is sent to a file on the server when the user clicks on the submit button. In the example below, the form data is sent to a file called "action_page.php".
The HTML | action Attribute is used to specify where the formdata is to be sent to the server after submission of the form. It can be used in the <form> element. Attribute Values: URL: It is used to specify the URL of the document where the data to be sent after the submission of the form.
If the page the form is hosted on is not served over HTTPS, then it can be intercepted and modified en route. These modifications can include such things as changing the action of the form, or adding JavaScript to send the data to a third party before submitting the form as normal.
Submitting the form over HTTPS is not sufficient to protect the data. The form needs to be delivered that way too.
HTTPS on the form's action is sufficient to encrypt the form submission.
The page that hosts the form doesn't have to HTTPS, although it helps to give the users confidence that their data is secure.
The other benefit of securing the hosting page is that the form can't be spoofed or altered by a man-in-the-middle.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With