I don't need to put the whole website under SSL(https://) but the Payment Controller only.
Is it okay to use [RequireHttps] for that controller only or should it be applied to each controller?
Thank you!
Add a comment
|
2 Answers
It depends on what you mean by "Ok". If you have something that's sensitive, then you really should apply SSL to the entire site, otherwise one of they key factors, the authentication cookie, can be hijacked and make your SSL pointless.
My general rule of thumb is, if one part of the site needs SSL, then the entire site should be SSL. I'm not even sure why you think it's a problem. It's true that SSL requires slightly more resources, but that's only the first time you connect, after that, there is no noticeable overhead of SSL.
See http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx
Many web sites log in via SSL and redirect back to HTTP after you’re logged in, which is absolutely the wrong thing to do. Your login cookie is just as secret as your username + password, and now you’re sending it in clear-text across the wire. Besides, you’ve already taken the time to perform the handshake and secure the channel (which is the bulk of what makes HTTPS slower than HTTP) before the MVC pipeline is run, so redirecting back to HTTP after you’re logged in won’t make the current request or future requests much faster.
2 Comments
MushinNoShin
The point of caution over what would be a vanishingly small performance degradation is a very good one. One the OP should take under very seriously and likely act upon.
NoWar
Special thanks for the last paragraph, man! That is I was asking! Awesome!
Better go with SSL-only for the whole site. You win: - better Google trust, since Google prefers SSL-only - better trust for your users
CPU power is cheap these days, and unless you are handling millions of users, the SSL-only-extracost are marginal.
