All geek questions in one place

Can I develop and test a secure web application without SSL?

I need to create a small web application that will eventually need to be run over SSL.

My question is: can I design and test it as if it were a regular application, and only later add everything that is necessary to protect it? Or should I check it over SSL from the start.

+4
source share
5 answers

You will be waiting on SSL while developing your application. Be careful not to encode any http:// URLs, and I do not think you will encounter any problems for most of your development. Just make sure you do a lot of testing after switching to SSL before going live.

+4
source

You can test using SSL, but there are a few things you need to pay attention to. If you download images or components (for example, CAPTCHA, for example) from third-party sites, you need to make sure that you can call them via SSL. Sometimes pixel tracking for web analytics software can also hurt here.

+4
source

My question is: can I design and test it as if it were a regular application, and only later add everything that is necessary to protect it? Or should I check it over SSL from the start.

If on whatever is necessary to make it secure you mean enable ssl , then be sure to approach it. But if other things are needed for security, such as authentication, authorization, role-based access, and no, then no. The usual wisdom is to enable security at all stages of development, because you cannot just “enable it” at the end. Most of the problems with implementing a secure system with a rich set of access controls will not arise if you do not really test the basic functionality and are not limited to these controls, and you can also check both the “happy path” and the “Unlucky path” through the code .

+3
source

In addition to the http url, keep track of port numbers, your https traffic will not be on port 80.

+2
source

Proxy all your requests with a non-https resource in your domain, especially if you use ajax calls. I ran into a problem (make AJAX calls from a non-SSL page to an SSL URL) a while ago.

+2
source

Source: https://habr.com/ru/post/1314281/

More articles:


All Articles