Can I put my form on HTTP and target my form to post to HTTPS and still be secure? No.
- Even if you post a notice, users will be less trusting. If a company can’t afford to invest in a security certificate, why would you trust them with private data?
- Website users should stick with one URL to login and form URL and the target URL should be over SSL.
Can I put a secure iframe for payments collection on http? Technically yes, however, this will not achieve desired security or consumer confidence since there will be no ‘lock’ on the consumer web browser for your domain. There are also limitations which I won’t get into here. This would not follow best practices and is therefore not recommended. Wherever you accept information that you want secured, the domain should have an SSL certificate.