How do I implement HTTPS on only part of a website?

I was wondering how one can implement HTTPS on one part of a website? Let's say I want to create an online store. I want to be able to view all items without HTTPS (is it faster?). And when I want to make a payment, I want to use HTTPS. As far as I've read in other articles, when IIS is configured to use HTTPS, the configuration is applied to the entire site :(

PS Another question. What if I want the store to be available only to users who already have accounts (which means users must be logged into the store)? The user then adds items to the cart and then goes to the checkout page (which uses HTTPS). Should they have a different account to check and sign in on the HTTPS page?

+3


source to share


3 answers


There is nothing wrong with using HTTPS for the entire website - in fact, it is encouraged. The lack of performance in using HTTPS for all requests back in the 1990s when computer hardware was not as powerful as it is today, but now the only reason not to do HTTPS on all sites is that you cannot afford to get a certificate in 20 USD expenses :)



Either way, the articles you read are half right. HTTPS support can only be enabled for each website, however you do not need to make HTTP messages mandatory for the entire site: this is controlled by the "Require SSL / TLS" checkbox in IIS. If you leave this check box unchecked, users can browse the site using unsecured HTTP. When it comes to the checkout page, you can implement the "Require SSL / TLS" feature in your ASP.NET code (check the property Request.IsSecureConnection

), for example by redirecting the secure version of your site.

+5


source


There is a nice module that can help you automatically switch from http to https in asp.net

I suggest using http for all pages that are not related to sensitive data, and only https on whoever has sensitive data.



The main reason is that if everything is transmitted from https, including images, the data being committed is larger and the time to encrypt and decrypt it adds to the total time to show the page - so you can simply avoid that, latency and computation. After all, all major sites do the same (amazon, ebay, zazzle, cafepress, Endless, Crate and Brrel, among others). They know something else - don't you think?

Relative answer: Preparing my ASP.NET/MVC site to use SSL?

+1


source


I was told that if you want to implement HTTPS it depends on how you want your site to be secure. There are SSL certificates that can be bought for a cheap price, but security can be limited. High security, of course, is really expensive, but high security. I believe that if you want to make your site as secure as possible, think about the possible and reasonable price you can afford to make your site. Hope this link is helpful.

10 cheapest SSL certificates

0


source







All Articles