No HTTPS
Impact: Medium
Description
In HTTP communications, traffic is not encrypted and can be captured by an attacker who has access to a network interface. This exposes sensitive information such as login credentials and personal data to eavesdropping and interception.
Recommendation
Enable HTTPS and enforce its usage to encrypt communication between clients and servers. Implement HTTP Strict Transport Security (HSTS) to instruct browsers to always use HTTPS for all future requests.
References
- CWE-319
- OWASP: HTTP Strict Transport Security Cheat Sheet
- RFC 6797: HTTP Strict Transport Security (HSTS)
👉 You might also like:
Password Input on HTTP - Vulnerability
Password Sent in HTTP Query - Vulnerability
Password Sent Over HTTP - Vulnerability
No Redirection from HTTP to HTTPS - Vulnerability
Last updated on May 13, 2024