Description
In HTTP communications, traffic is not encrypted and can be captured by an attacker who has access to a network interface. This exposes sensitive information such as login credentials and personal data to eavesdropping and interception.
Recommendation
Enable HTTPS and enforce its usage to encrypt communication between clients and servers. Implement HTTP Strict Transport Security (HSTS) to instruct browsers to always use HTTPS for all future requests.
References
- OWASP: HTTP Strict Transport Security Cheat Sheet
- RFC 6797: HTTP Strict Transport Security (HSTS)
- CWE-319
Related Issues
- No Redirection from HTTP to HTTPS - Vulnerability
- Password Input on HTTP - Vulnerability
- Password Sent in HTTP Query - Vulnerability
- Password Sent Over HTTP - Vulnerability
- Tags:
- SSL/TLS
- Data Security
- Network Security
Anything's wrong? Let us know Last updated on May 13, 2024