1

I'm building a Django website that does not need to have registration/authentication.

The only sensitive part is a form with a reCaptcha v2. Of course I'm embedding the CSRF token, which then I read with Javascript and send it with Ajax requests.

Is HTTPS needed in this case? I'm somewhat confused, since as far as I know the token can be used only once.

rubik
  • 175
  • 5
  • do you send the token via GET or POST? –  Aug 27 '15 at 07:31
  • @begueradj It's a POST request in which I set the `XCSRFToken` header. – rubik Aug 27 '15 at 07:32
  • What's the content of the form? Big difference between "what's your favorite colour" and "describe your medical history" – paj28 Aug 27 '15 at 14:48
  • @paj28 Well the captcha is there only to protect myself from automatic retrieval of information from robots. The user does not have to input any personal information. The "sensitive" data is the one that is sent back with the Ajax response, and I don't want it to be automatically scraped by bots. – rubik Aug 27 '15 at 15:02
  • In that case HTTPS has little security benefit. You don't need it. People have commented that there are other benefits like PageRank. Ultimately you have to decide how you want to invest your time. – paj28 Aug 27 '15 at 15:22

2 Answers2

4

Is HTTPS needed in this case?

In every case that I can think of HTTPS is beneficial.

The trivial case is if you don't have sessions, why would you need a secure connection if there are no sessions and everything is public? Having a secure connection actually helps your Google PageRank, and it also helps the user feel more secure by visiting your site enter image description here

If you actually have sessions and dynamic content the benefits are of course more substantial.

One easy way to implement SSL/TLS certificates is using CloudFlare or some similar service.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
Purefan
  • 3,570
  • 19
  • 26
  • 1
    I think all those examples you show are Extended Validation (EV) certificates, which are much more annoying (and costly) to get. – Nick T Nov 13 '15 at 20:25
2

What's the content of your website?

Is it anything anyone anywhere in the world could want to access without other people knowing about it (governments, marketers, snoops on the same wifi network)? Remember that what might be perfectly acceptable to view in your culture might not be acceptable elsewhere (like opinions about politics, sexuality or religion). HTTPS protects the privacy of your users.

Also, HTTPS protects you from any MITM attackers which falsify your content. Without HTTPS, any intermediates can change or inject content of your website, like additional advertisement in the best case and malware or misinformation in your name in the worst case. HTTPS protects you and your users from that.

In this day and age, you don't need a good reason to use encryption, you need a good reason not to. And no, performance is usually not a good reason - thanks to hardware accelerated encryption the added processing strain on your server is usually negligible.

Philipp
  • 49,017
  • 8
  • 127
  • 158