HTTPS Content Available via HTTP

Reference

Plugin Id: 10047 | CWE: 311

Resource

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md

Remediation

To fix this vulnerability, you should enforce HTTPS for all content and prevent access via HTTP. This can be achieved by implementing the following measures:

Redirect HTTP to HTTPS: Configure your web server to automatically redirect all HTTP requests to their corresponding HTTPS counterparts. This can be done by adding the following code to your server configuration file:
```
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
```
Replace RewriteEngine On with the appropriate directive for your web server if you are not using Apache.
Strict Transport Security (HSTS): Implement HTTP Strict Transport Security to ensure that all subsequent requests are automatically redirected to HTTPS. This can be done by adding the following header to your server’s response:
```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```
Adjust the max-age value to specify the duration (in seconds) for which the browser should remember to use HTTPS. The includeSubDomains directive ensures that all subdomains are also included, and the preload directive allows your domain to be included in the HSTS preload list maintained by browsers.
Content Security Policy (CSP): Implement a Content Security Policy to restrict the loading of content from insecure sources. This can help prevent mixed content issues and ensure that all resources are loaded securely. An example CSP header is as follows:
```
Content-Security-Policy: upgrade-insecure-requests
```
The upgrade-insecure-requests directive instructs the browser to automatically upgrade any insecure requests to HTTPS.

About

Content which was initially accessed via HTTPS (i.e., using SSL/TLS encryption) is also accessible via HTTP (without encryption). This vulnerability occurs when a website allows access to the same content over both HTTP and HTTPS protocols. It can happen due to misconfigurations or lack of proper redirection from HTTP to HTTPS.

Risks

The presence of HTTPS content accessible via HTTP poses several risks:

Data interception: Without encryption, the content transmitted over HTTP can be intercepted and read by attackers. This includes sensitive information such as login credentials, personal data, and financial details.
Man-in-the-Middle attacks: Attackers can exploit the lack of encryption to perform Man-in-the-Middle (MitM) attacks. They can intercept the communication between the user and the server, modify the content, or inject malicious code.
Loss of trust and reputation: Allowing access to HTTPS content via HTTP undermines the trust and credibility of the website. Users may perceive the site as insecure and be reluctant to share sensitive information or engage in transactions.
Compliance violations: Depending on the industry and jurisdiction, there may be legal or regulatory requirements to protect sensitive data with encryption. Failure to enforce HTTPS can result in compliance violations and potential legal consequences.