Security Guideline
It is important to keep the user informed about possible security issues.
Notify the User of Security-Related Events
Always notify the user of any change in security, whether it is a security-related error such as a certificate failure, or a change in the security of the underlying protocol, such as change from an HTTPS site to an HTTP site.
Notify the User of Security-Related Errors
When your application receives an error message that may indicate a security problem, the InternetErrorDlg function provides a standard, familiar interface for notifying the user in most cases.
Among the errors that fall in this category are:
ERROR_INTERNET_HTTP_TO_HTTPS_ON_REDIR
ERROR_INTERNET_INVALID_CA
ERROR_INTERNET_POST_IS_NON_SECURE
ERROR_INTERNET_SEC_CERT_ERRORS
ERROR_INTERNET_SEC_CERT_CN_INVALID
ERROR_INTERNET_SEC_CERT_DATE_INVALID
A failure to notify the user of errors such as these can expose the user to various sorts of security breaches, including spoofing attacks or involuntary information disclosure.
Notify the User When Connection Security Changes
Always notify the user when the security of the connection changes, for example from HTTPS to HTTP. Otherwise, unless the user has explicitly chosen not to be notified of such changes, you are concealing the risks of involuntary information disclosure.
Among the functions that report such a change in connection security are the InternetStatusCallback callback function and the InternetConfirmZoneCrossing function.
Note
WinINet does not support server implementations. In addition, it should not be used from a service. For server implementations or services use Microsoft Windows HTTP Services (WinHTTP).