How to make a website secured with https

Question

I have to build a small webapp for a company to maintain their business data     Only those within the company will be using it  but we are planning to host it in public domain  so that the employees can connect to app from various locations   Till now I have built web apps that are hosted internally only   I m wondering whether I need to use a secured connection  https  or just the forms authentication is enough   If you say https  I have some questions     What should I do to prepare my website for https    Do I need to alter the code   Config  Is SSL and https one and the same    Do I need to apply with someone to get some license or something  Do I need to make all my pages secured or only the login page      I was searching Internet for answer  but I was not able to get all these points    Any whitepaper or other references would also be helpful     Feel free to ask incase you need more information   Thanks   Raja

User · Answer

I think you are getting confused with your site Authentication and SSL.

If you need to get your site into SSL, then you would need to install a SSL certificate into your web server. You can buy a certificate for yourself from one of the places like Symantec etc. The certificate would contain your public/private key pair, along with other things.

You wont need to do anything in your source code, and you can still continue to use your Form Authntication (or any other) in your site. Its just that, any data communication that takes place between the web server and the client will encrypted and signed using your certificate. People would use secure-HTTP (https://) to access your site.

View this for more info --> http://en.wikipedia.org/wiki/Transport_Layer_Security

User · Answer

What kind of business data  Trade secrets or just stuff that they don t want people to see but if it got out  it wouldn t be a big deal  If we are talking trade secrets  financial information  customer information and stuff that s generally confidential  Then don t even go down that route      I m wondering whether I need to use a   secured connection  https  or just the   forms authentication is enough    Use a secure connection all the way      Do I need to alter the code   Config   Yes  Well may be not  You may want to have an expert do this for you       Is SSL and https one and the same      Mostly yes  People usually refer to those things as the same thing      Do I need to apply with someone to get some license or something    You probably want to have your certificate signed by a certificate authority  It will cost you  or your client a bit of money      Do I need to make all my pages secured or only the login page      Use https throughout  Performance is usually not an issue if the site is meant for internal users      I was searching Internet for answer    but I was not able to get all these   points    Any whitepaper or other   references would also be helpful      Start here for some pointers  http   www owasp org index php Category OWASP Guide Project  Note that SSL is a minuscule piece of making your web site secure once it is accessible from the internet  It does not prevent most sort of hacking

User · Answer

For business data  if the data is private I would use a secured connection  otherwise a forms authentication is sufficient    If you do decide to use a secured connection  please note that I do not have experience with securing websites  I am just recanting off what I encountered during my own personal experience  If I am wrong in anyway  please feel free to correct me      What should I do to prepare my website for https   Do I need to alter the code   Config    In order to enable SSL  Secure Sockets Layer  for your website  you would need to set-up a certificate  code or config is not altered   I have enabled SSL for an internal web-server  by using OpenSSL and ActivePerl from this online tutorial  If this is used for a larger audience  my audience was less than 10 people  and is in the public domain  I suggest seeking professional alternatives      Is SSL and https one and the same      Not exactly  but they go hand in hand  SSL ensures that data is encrypted and decrypted back and forth while you are viewing the website  https is the URI that is need to access the secure website  You will notice when you try to access http   secure mydomain com it displays an error message      Do I need to apply with someone to get some license or something    You would not need to obtain a license  but rather a certificate  You can look into companies that offer professional services with securing websites  such as VeriSign as an example      Do I need to make all my pages secured or only the login page      Once your certificate is enabled for mydomain com every page that falls under   mydomain com will be secured

User · Answer

Try making a boot directory in PHP  as in   lt  PHP  ip     SERVER  REMOTE ADDR     privacy     BOOTSTRAP CONFIG     shell       BOOTSTRAP OUTPUT    enter code here if  ip     privacy   function  privacy int  ip    https        endif   echo  shell     gt    Thats mainly it

User · Answer

balalakshmi mentioned about the correct authentication settings  Authentication is only half of the problem  the other half is authorization   If you re using Forms Authentication and standard controls like  lt asp Login gt  there are a couple of things you ll need to do to ensure that only your authenticated users can access secured pages   In web config  under the  lt system web gt  section you ll need to disable anonymous access by default    lt authorization gt    lt deny users       gt   lt  authorization gt    Any pages that will be accessed anonymously  such as the Login aspx page itself  will need to have an override that re-allows anonymous access  This requires a  lt location gt  element and must be located at the  lt configuration gt  level  outside the  lt system web gt  section   like this    lt  -- Anonymous files -- gt   lt location path  Login aspx  gt    lt system web gt     lt authorization gt      lt allow users       gt     lt  authorization gt    lt  system web gt   lt  location gt    Note that you ll also need to allow anonymous access to any style sheets or scripts that are used by the anonymous pages    lt  -- Anonymous folders -- gt   lt location path  styles  gt    lt system web gt     lt authorization gt      lt allow users       gt     lt  authorization gt    lt  system web gt   lt  location gt    Be aware that the location s path attribute is relative to the web config folder and cannot have a    prefix  unlike most other path-type configuration attributes

User · Answer

What should I do to prepare my website   for https   Do I need to alter the   code   Config    You should keep best practices for secure coding in mind  here is a good intro  http   www owasp org index php Secure Coding Principles    otherwise all you need is a correctly set up SSL certificate      Is SSL and https one and the same     Pretty much  yes      Do I need to apply with someone to get   some license or something    You can buy an SSL certificate from a certificate authority or use a self-signed certificate  The ones you can purchase vary wildly in price - from  10 to hundreds of dollars a year  You would need one of those if you set up an online shop  for example  Self-signed certificates are a viable option for an internal application  You can also use one of those for development  Here s a good tutorial on how to set up a self-signed certificate for IIS  Enabling SSL on IIS 7 0 Using Self-Signed Certificates     Do I need to make all my pages secured   or only the login page     Use HTTPS for everything  not just the initial user login  It s not going to be too much of an overhead and it will mean the data that the users send receive from your remotely hosted application cannot be read by outside parties if it is intercepted  Even Gmail now turns on HTTPS by default

User · Answer

4 Do I need to make all my pages secured or only the login page     Just keep the login page under https  this will ensure there is no overhead when browsing other pages  the condition is you need to provide correct authentication settings in the web config  This is to ensure users who are not logged in will not be able to browse pages that would need authentication

[asp.net] How to make a website secured with https

Examples related to asp.net

Examples related to ssl

Examples related to https

Examples related to asp.net-2.0