[support] Drupal on HTTPS
Fabio Varesano
fabio.varesano at gmail.com
Thu Oct 23 19:28:22 UTC 2008
Personally I wouldn't consider the HTTP + HTTPS (just for some pages)
approach 100% secure. There are some security attacks which are still
possible with this solution.
If you are playing with a site where security is a key factor I would
consider running everything on HTTPS, redirecting HTTP requests to HTTPS.
Moreover I would actively advise users to always check the secure lock
to appears on their browsers.
Just my 2 cents.
Fabio Varesano
Metzler, David wrote:
> Naw we do this (Aside from the obvious performance issues about
> decripting data for large numbers of hits). There's a securepages
> module out there to force redirects on certain pages if your interested
> in making sur ethat just the login informatioin or user information
> happens over https.
>
> http://drupal.org/project/securepages
>
> Dave
>
> -----Original Message-----
> From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On
> Behalf Of Daniel Carrera
> Sent: Wednesday, October 22, 2008 1:07 PM
> To: support at drupal.org
> Subject: [support] Drupal on HTTPS
>
> Hello,
>
> Is there any harm in serving Drupal over HTTPS instead of HTTP?
>
> I want the Drupal login to be on HTTPS because I just don't like sending
> passwords in plain text. But with Apache it is no more work to make the
> entire site run on HTTPS versus just one page. In fact, it seems easier.
>
> So, I was wondering, is there any good reason not to serve a Drupal site
> over HTTPS? It seems a bit odd, but I figure, if I already have an SSL
> certificate, I figure, what's the harm?
>
> Thanks.
> Daniel
> --
> [ Drupal support list | http://lists.drupal.org/ ]
More information about the support
mailing list