Is HTTPS as the form's action enough?

Is HTTPS as the (HTML) form's action enough for the form data to be SSL encrypted for su开发者_开发技巧bmission?

Or does the page that hosts the form have to be HTTPS as well?

If the page the form is hosted on is not served over HTTPS, then it can be intercepted and modified en route. These modifications can include such things as changing the action of the form, or adding JavaScript to send the data to a third party before submitting the form as normal.

Submitting the form over HTTPS is not sufficient to protect the data. The form needs to be delivered that way too.

HTTPS on the form's action is sufficient to encrypt the form submission.

The page that hosts the form doesn't have to HTTPS, although it helps to give the users confidence that their data is secure.

The other benefit of securing the hosting page is that the form can't be spoofed or altered by a man-in-the-middle.

It is enough if all you want to do is wave the magical encryption fairy dust around. It's not enough if you want to actually be secure. Any man-in-the-middle attack could simply rewrite the form HTML to post to a malicious server.