No Redirection from HTTP to HTTPS
Impact: Medium
Description
In scenarios where HTTPS is enabled but HTTP requests are not automatically redirected to HTTPS, users must explicitly use the HTTPS URL to ensure encrypted communication. Without redirection, HTTP traffic remains unencrypted and vulnerable to interception by attackers who can access the network interface.
Recommendation
To enhance security, enforce the use of HTTPS by configuring your application or web server to redirect any HTTP request to HTTPS. Additionally, utilize the Strict-Transport-Security HTTP response header to provide an extra layer of security.
References
- CWE-16
- CWE-311
- OWASP 2021-A5
- OWASP: HTTP Strict Transport Security Cheat Sheet
- RFC 6797: HTTP Strict Transport Security (HSTS)
👉 You might also like:
SSL 2 enabled - Vulnerability
SSL 3 enabled - Vulnerability
TLS 1.0 enabled - Vulnerability
TLS 1.1 enabled - Vulnerability
Last updated on May 13, 2024