No Redirection from HTTP to HTTPS
Impact: Medium
Description
When HTTPS is enabled but, HTTP requests are not redirected to HTTPS automatically, users have to open the HTTPS URL explicitly. Otherwise, communication is not encrypted and can be captured by an attacker who has access to a network interface.
Recommendation
Enforce using HTTPS. You can do it by redirecting any HTTP request to HTTPS using your application or web server configuration. You can also use the Strict-Transport-Security HTTP response header as an extra security defense.
References
👉 You might also like:
No HTTPS - Vulnerability
Basic Authentication Over HTTP - Vulnerability
Password Input on HTTP - Vulnerability
Password Sent in HTTP Query - Vulnerability
Last updated on February 15, 2021