Our website allows users to register and access their personal information (UID/PWD required) and allows for our employees to build web pages via a CMS (content management system - UID/PWD required) and use an online ADMIN area (UID/PWD required) to add/view user info, add items to eshop, etc., (actual eshop purchases are handled by a 3rd party).
Our site is set up something like this:
WE HAVE NO DEVELOPMENT OR AUTHORING ENVIRONMENTS AT THIS TIME.
Of paramount importance is to protect the CMS portion, next comes production login/registration related pages and production ADMIN. Down the road, the CMS will be run internally only. We do not store any credit card or financial information.
I would like to protect certain parts of our site via https and would like advice in best practice. We have installed an SSL certificate on the site but have not applied it on any paths/pages yet. I am considering forcing https for the following folders/pages
1) Production login page (since login is available on home page, https would be utilized after UID/PWD is input and "login" button is selected)
2) Production registration and forgot password functionality pages
3) Production private areas paths (protect all pages on certain paths (folders) on main site that have private content - only accessible after certified login)
4) Production Admin (entire ADMIN path where employees can work with user info, manage online forums, add new eshop products - again credit cards are handled via https by a 3rd party). This means everything below .com/Admin is https
5) Production CMS (entire CMS path). This means everything below .com/CMS is https
1) Do the five options above seem reasonable?
2) Do I have the right idea when I say "apply the certificate on certain paths/pages"? Can you apply SSL on a path where every page on the path utilizes https?
3) For #1 is this straightforward, in otherwords the home page doesn't load with https
: only after inputting a UID/PWD and clicking "login" is the "s" applied. After login, user goes back to http.
4) I know "https" will slow things down, I'm considering #4,#5 to apply SSL accross all of ADMIN and CMS. Does this seem right? Do we just need the login pages protected on each instead? My concern is that someone could sniff private info being saved on ADMIN or pages being written and saved on CMS.