Question in title, but I'll elaborate.
Say I have a form on a non-secure page, but I don't want the data that the user is posting to my web server to make sense to anyone who might intercept it. Do I need to serve the form securely or simply post the form to a secure URL?
By serving the form unsecured, you allow a man-in-the-middle to alter your form's POST destination, letting an attacker harvest login information. But MITM attacks are not common, so you're probably fine serving the form unsecured.
No. The post data is what counts. You can serve the login page over regular HTTP and post to HTTPS. You want the username and password to be encrypted, so we send that to the server over HTTPS we are golden.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With