RequireHttpsAttribute and Encrypted Request Data
Posted
by
goatshepard
on Stack Overflow
See other posts from Stack Overflow
or by goatshepard
Published on 2012-10-23T22:31:43Z
Indexed on
2012/10/23
23:00 UTC
Read the original article
Hit count: 214
I have a controller action that is accepting sensitive data.
public ActionResult TakeSensitiveData(SensitiveData data){
data.SaveSomewhere();
}
To ensure the data is secure I want to be certain requests are made using HTTPS (SSLv3, TLS 1). One of the approaches I've considered using was the RequireHttpsAttribute on my action:
[RequireHttps]
public ActionResult TakeSensitiveData(SensitiveData data){
data.SaveSomewhere();
}
However, upon testing this I fiddler revealed that an HTTP request made to the action is 302 redirected to HTTPS. My question is this:
If I've made a request that is 302 redirected to HTTPS haven't I already sent the sensitive data over HTTP before the redirect?
© Stack Overflow or respective owner