Should I invest my time in making my site HTTPS-only?

All we need is an easy explanation of the problem, so here it is.

I’m building a Django website that does not need to have registration/authentication.

The only sensitive part is a form with a reCaptcha v2. Of course I’m embedding the CSRF token, which then I read with Javascript and send it with Ajax requests.

Is HTTPS needed in this case? I’m somewhat confused, since as far as I know the token can be used only once.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Is HTTPS needed in this case?

In every case that I can think of HTTPS is beneficial.

The trivial case is if you don’t have sessions, why would you need a secure connection if there are no sessions and everything is public? Having a secure connection actually helps your Google PageRank, and it also helps the user feel more secure by visiting your site
enter image description here

If you actually have sessions and dynamic content the benefits are of course more substantial.

One easy way to implement SSL/TLS certificates is using CloudFlare or some similar service.

Method 2

What’s the content of your website?

Is it anything anyone anywhere in the world could want to access without other people knowing about it (governments, marketers, snoops on the same wifi network)? Remember that what might be perfectly acceptable to view in your culture might not be acceptable elsewhere (like opinions about politics, sexuality or religion). HTTPS protects the privacy of your users.

Also, HTTPS protects you from any MITM attackers which falsify your content. Without HTTPS, any intermediates can change or inject content of your website, like additional advertisement in the best case and malware or misinformation in your name in the worst case. HTTPS protects you and your users from that.

In this day and age, you don’t need a good reason to use encryption, you need a good reason not to. And no, performance is usually not a good reason – thanks to hardware accelerated encryption the added processing strain on your server is usually negligible.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply