Securing your checkout page
When taking credit card payments, pages should be secured with HTTPS connections. CartThrob makes it very simple to accomplish this. In addition to what CartThrob can do, you also need to take steps to secure the content on your site, or your page won't be secure, and to your client's distress will not show a "lock" or other "secured" icon.
Securing a page with HTTPS requires the following
You have a commonly accepted secure certificate setup for your site. If you purchase one from any standard issuing authority, most browsers will recognize your certificate and accept it. If you were trying to use your own self-signed certificate to save money… this is going to fail. If you try to use https:// without a properly installed secure certificate, your page will fail to load. We buy ours through Dreamhost.com for $15 / year.
Your checkout page url should be called with https://
Usually the best, most flexible option is to simply call files relatively (without using http:// or https://) For instance call your jquery file like this /scripts/jquery.js, rather than https://yoursite.com/scripts/jquery.js. If you embed files using relative links, the browser will use whichever method your page uses (http:// or https://)
Secure your forms. Add the following parameter to ANY cartthrob form
secure_action="yes"and the form will submit securely.
The benefits of securing your page include the encryption of data as it's being submitted to forms throughout your site, so that it can be read by any outside user. You can secure any page you wish… even every page on your site. Encryption will slow down the page load however, so most opt to only secure pages as needed.
Also, keep in mind that CartThrob forms submitted via AJAX will attempt to output any date from whatever page is specified in the form's the return parameter (or index.php if a return page is not specified). If using AJAX make sure those "return" pages are also secure, or the submission or submission repsonse may fail