i've chosen to make the entire site HTTPS and redirect HTTP to HTTPS. the reason being that performance doesn't seem to take a big hit, and while things like caching and moving to multiple servers will be harder, if we get to that point then re-writing some of this code will be fine (whereas it is not fine now when we just want to get some user testing done).
i'm using django. the move for some pages to be accessed via https means accounting for redirects more intelligently. eg, {% url login %} should produce https://... while {% url static_page %} should produce http://... there is a django snippet for middlewhere that allows one to provide a SSL flag.
still...if one is visiting https://mysite.com/A and then moves to https://mysite.com/B, then won't the browser alert them to the move? it should, but that provides the wrong viewing experience... i guess, once a user logs in, the rest of their visit to the site should be over https, even the static pages that non-logged in users view over http?
alternatively, i care less about the users that log in and more that the API used by my Firefox extension to communicate with my server is conducted over HTTPS. that's where i started, but once i made that https it was a slippery slope for the rest of the site :-)
i've chosen to make the entire site HTTPS and redirect HTTP to HTTPS. the reason being that performance doesn't seem to take a big hit, and while things like caching and moving to multiple servers will be harder, if we get to that point then re-writing some of this code will be fine (whereas it is not fine now when we just want to get some user testing done).
i'm using django. the move for some pages to be accessed via https means accounting for redirects more intelligently. eg, {% url login %} should produce https://... while {% url static_page %} should produce http://... there is a django snippet for middlewhere that allows one to provide a SSL flag.
still...if one is visiting https://mysite.com/A and then moves to https://mysite.com/B, then won't the browser alert them to the move? it should, but that provides the wrong viewing experience... i guess, once a user logs in, the rest of their visit to the site should be over https, even the static pages that non-logged in users view over http?
alternatively, i care less about the users that log in and more that the API used by my Firefox extension to communicate with my server is conducted over HTTPS. that's where i started, but once i made that https it was a slippery slope for the rest of the site :-)