HTTP Only Site

Reference

Plugin Id: 10106

Resource

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md

Remediation

To remediate the vulnerability of an HTTP only site, the following steps can be taken:

Implement HTTPS: The first step is to implement HTTPS on the site. This can be done by obtaining an SSL/TLS certificate and configuring the web server to use HTTPS. This will encrypt the communication between the client and the server, ensuring that sensitive information is protected.
Redirect HTTP to HTTPS: Once HTTPS is implemented, it is important to redirect all HTTP requests to HTTPS. This can be done by configuring the web server to automatically redirect any HTTP requests to the corresponding HTTPS URL. This will ensure that all traffic is encrypted and prevent users from accessing the site over an insecure connection.
Update internal links and resources: After implementing HTTPS and redirecting HTTP to HTTPS, it is important to update any internal links and resources on the site to use the HTTPS protocol. This includes updating links to images, scripts, stylesheets, and any other resources that are loaded on the site. Failure to update these links may result in mixed content warnings or broken functionality.

About

The vulnerability “HTTP Only Site” refers to a website that is only served under HTTP and not HTTPS. HTTP (Hypertext Transfer Protocol) is an insecure protocol that does not encrypt the communication between the client and the server. This means that any data transmitted over HTTP, including sensitive information such as passwords or credit card details, can be intercepted and read by attackers.

HTTPS (Hypertext Transfer Protocol Secure), on the other hand, is a secure version of HTTP that uses SSL/TLS encryption to protect the data transmitted between the client and the server. By implementing HTTPS, the site ensures that the communication is encrypted and secure, preventing attackers from intercepting and reading the data.

Risks

The risks associated with an HTTP only site include:

Data interception: Without HTTPS, any data transmitted between the client and the server can be intercepted and read by attackers. This includes sensitive information such as login credentials, personal information, and financial details.
Man-in-the-middle attacks: Without encryption, an attacker can perform a man-in-the-middle attack, intercepting the communication between the client and the server. This allows the attacker to modify or tamper with the data being transmitted, potentially leading to unauthorized access or data manipulation.
Loss of user trust: In today’s digital landscape, users have come to expect secure connections when accessing websites. An HTTP only site may be seen as untrustworthy or insecure, leading to a loss of user trust and potential reputational damage for the site owner.

To mitigate these risks, it is crucial to implement HTTPS on the site and ensure that all communication is encrypted and secure.