Securing your checkout page

When taking credit card payments, pages should be secured with HTTPS connections. CartThrob makes it very simple to accomplish this. In addition to what CartThrob can do, you also need to take steps to secure the content on your site, or your page won't be secure, and to your client's distress will not show a "lock" or other "secured" icon.

Securing a page with HTTPS requires the following

  1. You have a commonly accepted secure certificate setup for your site. If you purchase one from any standard issuing authority, most browsers will recognize your certificate and accept it. If you were trying to use your own self-signed certificate to save money… this is going to fail. If you try to use https:// without a properly installed secure certificate, your page will fail to load. We buy ours through Namecheap for $15 / year.

  2. Your checkout page url should be called with https://

  3. All embedded files be accessed via an https:// connection. This includes javascript, css (and images in your css file), images, and any other embedded file. You can link to non https:// pages, but to fully secure the page, you need to also secure all of your embedded files. It's pretty common for people to miss some. Common errors that will keep your page running in http:// mode include embedding Google's version of jquery without using https:// embedding tracking javascript in the footer of your page without https:// using background images or sprites in css, and linking to them using http://. You do not need to change your ExpressionEngine {embed}s but you need to change any standard HTML embed to use an https:// connection.

    Usually the best, most flexible option is to simply call files relatively (without using http:// or https://) For instance call your jquery file like this /scripts/jquery.js, rather than If you embed files using relative links, the browser will use whichever method your page uses (http:// or https://)

  4. Secure your forms. Add the following parameter to ANY cartthrob form secure_action="yes" and the form will submit securely.

The benefits of securing your page include the encryption of data as it's being submitted to forms throughout your site, so that it can be read by any outside user. You can secure any page you wish… even every page on your site. Encryption will slow down the page load however, so most opt to only secure pages as needed.

Also, keep in mind that CartThrob forms submitted via AJAX will attempt to output any date from whatever page is specified in the form's the return parameter (or index.php if a return page is not specified). If using AJAX make sure those "return" pages are also secure, or the submission or submission repsonse may fail