So, pretty straight forward question. Somebody told me that all shopping carts should be secure. I can see in some instances where this would be beneficial… but all instances?
I realize that typically carts are stored on the server via a session, but in the end the details of the cart have to be sent to the user so they can see what is in their cart.
This is very difficult to google because all that comes up is ads for commercial shopping carts.
Question: Is it a standard/typical to secure all shopping carts? (pages which display the shopping cart)
The simple answer is yes. You already need encryption when communicating passwords or payment details, so it’s easy to extend the encryption to the whole site. This might even simplify some things. Yes, serving encrypted pages is more computationally intensive than serving plain files, but we’ve come to generally expect HTTPS everywhere (especially post 2013).
The more nuanced answer is that few actions really have to be secured, namely the communication of secrets like passwords or payment details, and the final, legally binding purchase action when checking out the shopping cart. Generally, the items in the shopping cart (or adding items to the cart) wouldn’t have to be protected, but this plays fast and loose with the users trust.
There also may be legal requirements on securing user’s data which may mandate an encryption on the connection.
It depends on which stage you’re talking about.
The paying for the contents of a shopping cart? This must be secure; you’ve probably got financial data involved (or something very similar). Failure to secure this will get you into trouble in virtually all jurisdictions.
The configuring of where to deliver to? It’s a very good idea to make this be secure; it’s definitely likely to be personally-identifiable information. Failure to secure this will get you into trouble in some jurisdictions; others are less bothered by it.
The adding of items to the cart, viewing of the current cart contents, or the removal of now-unwanted items? Strictly need not be secure, assuming there’s a confirmation step later during the check-out stage, but having someone else pranking things by adding or removing random items from your customers’ carts would still be rather undesirable. Can you imagine the effect on the opinion of a user of your site if some script kiddie decided to add a hundred pairs of expensive frilly lace underwear to every order, just for laughs? (OK, that might be OK with some customers, but they’ll likely be a small minority.)
The cost of securing the cart completely isn’t too large given that you already need to think in terms of secure operations for part of the process. With modern computing and network capabilities making the additional technical overburden quite limited, you might as well secure fully.