- gardelAsked on January 19, 2015 at 02:09 PM
I'm managing registrations for a youth sports organization using JotForm forms embedded in a SquareSpace web site. I have added Stripe payments and have embedded the form as a "secure form" using iFrames. It works very well. I do have a couple of questions though:
The page on Squarespace opens in http, not https. To the end user who pays attention, it looks like the transaction is being made over an unsecured connection. The lock icon does not appear in the URL bar in the browser.
Is the transaction secure even though the web page it is embedded on is not? What do others do with this kind of set up?
- BenAnswered on January 19, 2015 at 02:52 PM
You are correct about the page not offering the same level of protection as shown with the icon. The iframe however is secure on its own, so all data sent through it will be safe and in its own channel, there are however many other ways that could make it insecure and if implemented as such are against some standards and safety regulations.
Having that said many people and stores are still embedding their stores in such way.
I would recommend that you upgrade your website to HTTPS if possible, or link to the jotform instead if the HTTPS option on your website is not an option at this time.
Doing a quick search on security related website I found this link that might explain things in a bit more details: http://security.stackexchange.com/questions/38317/specific-risks-of-embedding-an-https-iframe-in-an-http-page
Do let us know if you have any further questions.