If I have a domain: https://somedomain.example with a valid SSL certificate do I have to take any other precautions to encrypt data between clients and my server, or is my only concern now to protect data on the server via some AES encryption in my MySQL database.
Essentially, do I leave all of the security between client and server down to SSL, is that how Facebook and Google do it for instance?
分享 Simply using SSL will handle all the encryption so the data will be protected in transit.
Authentication, authorisation and defences against XSS and CSRF need handling separately. (Although you can use SSL client certs for authentication).
XSS is something to watch out for in particular, if an attacker can inject JS into the page, then it can access the data in the browser where (unlike when it is in transit) it isn't encrypted.
分享
