Description
In scenarios where HTTPS is enabled but HTTP requests are not automatically redirected to HTTPS, users must explicitly use the HTTPS URL to ensure encrypted communication. Without redirection, HTTP traffic remains unencrypted and vulnerable to interception by attackers who can access the network interface.
Recommendation
To enhance security, enforce the use of HTTPS by configuring your application or web server to redirect any HTTP request to HTTPS. Additionally, utilize the Strict-Transport-Security HTTP response header to provide an extra layer of security.
References
- OWASP: HTTP Strict Transport Security Cheat Sheet
- RFC 6797: HTTP Strict Transport Security (HSTS)
- CWE-16
- CWE-311
- OWASP 2021-A5