Vulnerabilities/

No Redirection from HTTP to HTTPS

Impact: Medium

Description

When HTTPS is enabled but, HTTP requests are not redirected to HTTPS automatically, users have to open the HTTPS URL explicitly. Otherwise, communication is not encrypted and can be captured by an attacker who has access to a network interface.

Recommendation

Enforce using HTTPS. You can do it by redirecting any HTTP request to HTTPS using your application or web server configuration. You can also use the Strict-Transport-Security HTTP response header as an extra security defense.

References

Last updated on February 15, 2021

Use SmartScanner Free version to test for this issue

Download