[Gurrewe]

Doesn't make it better tough, a MITM could change the action URL of the form.

[jgalt212]

MITM requires a man in the middle. For the most part, a state level adversary is required for a generalized MITM attack.

[megabytemike]

Come join my wifi network at the coffee shop :-D

[jgalt212]

Yes, but that's not a general MITM attack as the NSA has pulled off. Only the folks at that particular coffee shop are placed at risk from this particular adversary.

[staticfish]

not if it's pinned at the web app level.

[tyre]

Again, MITM.

If you mean the front-end web (JS) app, MITM the request from the server to the client browser and replace the hardcoded submission url in the JS.

[staticfish]

Not really. I used Play Framework which is also its own webserver. SSL is at both the app and webserver level.