Description
In HTTP communications, traffic is not encrypted and can be captured by an attacker who has access to a network interface. This exposes sensitive information such as login credentials and personal data to eavesdropping and interception.
Recommendation
Enable HTTPS and enforce its usage to encrypt communication between clients and servers. Implement HTTP Strict Transport Security (HSTS) to instruct browsers to always use HTTPS for all future requests.
References
- OWASP: HTTP Strict Transport Security Cheat Sheet
- RFC 6797: HTTP Strict Transport Security (HSTS)
- CWE-319
- OWASP 2021-A2
Related Issues
- Password Sent Over HTTP - Vulnerability
- Password Input on HTTP - Vulnerability
- Password Sent in HTTP Query - Vulnerability
- Cookie without Secure Flag - Vulnerability
- Tags:
- SSL/TLS
- Data Security
- Network Security
Anything's wrong? Let us know Last updated on May 13, 2024