HTTPS encrypts the connection between the client and the server, so, login pages and all backend/control panel pages should be HTTPS.
Reason being, someone between the client and the server can sniff the traffic. If it is HTTPS it will be encrypted; if not, plain as day. Hence the reason why login pages usually redirect you over to a HTTPS login page, when you login you don't want to send your username and password pair to the server in plaintext!
What's funny is people often still send their email creds to their email server without being encrypted either...
Your whole site should not use HTTPS unless all of the data or functionality on that site were sensitive. Pretty simple rule of thumb: public facing pages use HTTP and login pages + anything behind use HTTPS.
Total noob question, but I'll ask it anyway: is there any coding that has to be done to do HTTPS, or is it as simple as linking to the same page with https in the front?
I also feel that I should point out: Putting forms behind SSL does not absolve you of secure coding guidelines! SSL does not influence whether or not your webapp is vulnerable to traditional injection and logic flaw attacks.
While that is true, the OP said he was interested in learning more beyond just SQL injection etc...
Which brings me to your second subject: logic flaw. That is probably the most common security flaw than anything else. It is been made worse by the fact that most "web developers" don't actually understand logic nor the full implications of structured programming.
It is compounded by a lack of understanding system fundamentals too; it's quite common amongst developers I have met to not know why "0123" comes out as "83" in any scripting language built atop C (Python and PHP are popular examples). (Hint for those that don't know: C interprets integer literals with a leading zero as an Octal number).
haha. this is so true. i have no doubts the biggest problems we'll face with early product iterations are our own bugs rather than malicious third parties :-)
we'll do the best we can to get both fronts up to snuff before the general public gets a stab at us.
Reason being, someone between the client and the server can sniff the traffic. If it is HTTPS it will be encrypted; if not, plain as day. Hence the reason why login pages usually redirect you over to a HTTPS login page, when you login you don't want to send your username and password pair to the server in plaintext!
What's funny is people often still send their email creds to their email server without being encrypted either...
Your whole site should not use HTTPS unless all of the data or functionality on that site were sensitive. Pretty simple rule of thumb: public facing pages use HTTP and login pages + anything behind use HTTPS.