Ray,
I've set up HTTPS-only for several properties of mine. Here's what I learned from doing that.
The best way to accomplish the HTTPS-only site is to have an apache virtual host for all incoming port 80 requests rewrite those requests to HTTPS and then 302 redirect the user. This means no matter the entrance point you should be able to have all requests over HTTPS.
Second, depending on the certificate level you purchase you will have to be wary of subdomains. The more expensive certificates allow you to have subdomains on them. Installing a certificate is trivially easy: place it in the certificates directory and reference it from the 443 vhost.
Some data security considerations. Remember that even if data is transmitted over HTTPS, if you are in a shared hosting environment, your data is still at risk. I strongly recommend a VPS at minimum for financial data. Encrypt and properly store all critical data. It's better not to store data such as credit card numbers. You should consult published best practices, as I am not an expert in that particular field.
Brandon
Sent from my iPhone
Colleagues: I will need to handle some online communications about financial data, hence a requirement for all-HTTPS hosting service. What hosting company would you recommend? What gotchas should be considered? All comments welcomed. Thanks to all, Ray
--
You received this message because you are subscribed to the Google
Group: "Washington, DC PHP Developers Group" - http://www.dcphp.net
To post, send email to washington-dcphp-group@googlegroups.com
To unsubscribe, send email to washington-dcphp-group+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/washington-dcphp-group?hl=en
0 comments:
Post a Comment