How to use HTTPS to protect customer data

SSL should be employed wherever there's going to be sensitive information transmitted. This includes site configuration stuff like passwords, database connection info, sensitive paths ... basically anytime the administrator or customer is going to be typing things that you don't want intercepted, SSL should be used to ensure that information is passed securely over the Internet.

User information is definitely included in this list, especially on the screens where they need to type a password (login screen at /user and account info screen at /user/*/edit), but also even when you're "just" collecting address information.

Likewise, it makes sense to put administration tasks behind a secure certificate. You might even consider additional HTTP authentication for these pages - you can really never be too secure with your customer's and website's sensitive data.

SSL functionality is provided through the Drupal module "Secure Pages", which you may download from http://drupal.org/project/securepages. Once installed on your site, Secure Pages allows you to designate certain sections of your site as secure, accessible using only the HTTPS protocol. As a minimum, you should consider protecting any page that displays or collects sensitive user information such as passwords, credit card numbers, etc.

Migrating a site

You need to migrate your Drupal site if you change hosts, or if you maintain separate development and live sites. This is an outline of the process – perhaps only a check list – but it includes some steps that are not well described elsewhere. You need to adjust these steps depending on the modules you use and your server environments.

Subscribe with RSS Subscribe to RSS - live