Description
In HTTP communications, traffic is not encrypted and can be captured by an attacker who has access to a network interface. This exposes sensitive information such as login credentials and personal data to eavesdropping and interception.
Recommendation
Enable HTTPS and enforce its usage to encrypt communication between clients and servers. Implement HTTP Strict Transport Security (HSTS) to instruct browsers to always use HTTPS for all future requests.
References
- OWASP: HTTP Strict Transport Security Cheat Sheet
- RFC 6797: HTTP Strict Transport Security (HSTS)
- CWE-319