X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=lib%2FMaypole%2FManual%2FRequest.pod;h=64ee38b02d5dd8a4fe9eb16ab00ba7823d1e90a2;hb=349ed61cc56d78c7ce47eb08984c65d694d3aee0;hp=0aa333a6c22be22cf3ea03f2a54bff9336b574b2;hpb=f95d4d1dad59c1b82c3969199116722562399419;p=maypole.git diff --git a/lib/Maypole/Manual/Request.pod b/lib/Maypole/Manual/Request.pod index 0aa333a..64ee38b 100644 --- a/lib/Maypole/Manual/Request.pod +++ b/lib/Maypole/Manual/Request.pod @@ -53,6 +53,37 @@ or move the module loading to run-time (my preferred solution): BeerDB->setup("..."); BeerDB::Beer->require; +=head3 Redirecting to SSL for sensitive information + +You have a website with forms that people will be entering sensitive information into, +such as credit cards or login details. You want to make sure that they aren't sent +in plain text but over SSL instead. + +B + +The solution is a bit tricky for 2 reasons : + +Firstly -- Many browsers and web clients will change a redirected +POST request into a GET request (which displays all that sensitive information in the +browser, or access logs and possibly elsewhere) and/or drops the values on the floor. + +Secondly -- If somebody has sent that sensitive information in plain text already, then +sending it again over SSL won't solve the problem. + +Redirecting a request is actually rather simple : + +$r->redirect_request('https://www.example.com/path'); # perldoc Maypole for API + +.. as is checking the protocol : + +$r->get_protocol(); # returns 'http' or 'https' + +You should check that the action that generates the form that people will enter +the sensitive information into is https and redirect if not. + +You should also check that no information is lost when redirecting, possibly by +storing it in a session and retrieving it later - see Maypole::Plugin::Session + =head3 Debugging with the command line You're seeing bizarre problems with Maypole output, and you want to test it in