RequireHttpsAttribute and Encrypted Request Data

Posted by goatshepard on Stack Overflow See other posts from Stack Overflow or by goatshepard
Published on 2012-10-23T22:31:43Z Indexed on 2012/10/23 23:00 UTC
Read the original article Hit count: 212

I have a controller action that is accepting sensitive data.

public ActionResult TakeSensitiveData(SensitiveData data){
 data.SaveSomewhere();
}

To ensure the data is secure I want to be certain requests are made using HTTPS (SSLv3, TLS 1). One of the approaches I've considered using was the RequireHttpsAttribute on my action:

[RequireHttps]  
public ActionResult TakeSensitiveData(SensitiveData data){
     data.SaveSomewhere();
}

However, upon testing this I fiddler revealed that an HTTP request made to the action is 302 redirected to HTTPS. My question is this:

If I've made a request that is 302 redirected to HTTPS haven't I already sent the sensitive data over HTTP before the redirect?

© Stack Overflow or respective owner

Related posts about c#

Related posts about .NET