Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

SSL certifcate application on certain parts of website

Avatar of ara99
ara99 asked on
SecurityEncryptionInternet Protocol Security
15 Comments1 Solution396 ViewsLast Modified:
Our website allows users to register and access their personal information (UID/PWD required) and allows for our employees to build web pages via a CMS (content management system - UID/PWD required) and use an online ADMIN area (UID/PWD required) to add/view user info, add items to eshop, etc., (actual eshop purchases are handled by a 3rd party).

Our site is set up something like this:


Of paramount importance is to protect the CMS portion, next comes production login/registration related pages and production ADMIN. Down the road, the CMS will be run internally only.  We do not store any credit card or financial information.

I would like to protect certain parts of our site via https and would like advice in best practice.  We have installed an SSL certificate on the site but have not applied it on any paths/pages yet.  I am considering forcing https for the following folders/pages

1)      Production login page (since login is available on home page, https would be utilized after UID/PWD is input and "login" button is selected)
2)      Production registration and forgot password functionality pages
3)      Production private areas paths (protect all pages on certain paths (folders) on main site that have private content - only accessible after certified login)
4)      Production Admin (entire ADMIN path where employees can work with user info, manage online forums, add new eshop products - again credit cards are handled via https by a 3rd party).  This means everything below .com/Admin is https
5)      Production CMS (entire CMS path).  This means everything below .com/CMS is https

1) Do the five options above seem reasonable?
2) Do I have the right idea when I say "apply the certificate on certain paths/pages"? Can you apply SSL on a path where every page on the path utilizes https?
3) For #1 is this straightforward, in otherwords the home page doesn't load with https: only after inputting a UID/PWD and clicking "login" is the "s" applied.  After login, user goes back to http.
4) I know "https" will slow things down, I'm considering #4,#5 to apply SSL accross all of ADMIN and CMS.  Does this seem right?  Do we just need the login pages protected on each instead?  My concern is that someone could sniff private info being saved on ADMIN or pages being written and saved on CMS.


Avatar of brasslan

Our community of experts have been thoroughly vetted for their expertise and industry experience.

This problem has been solved!
Unlock 1 Answer and 15 Comments.
See Answers