HTTP to HTTPS Insecure Transition in Form Post

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.

An HTTP page hosting an HTTPS form creates a critical vulnerability window before the secure submission occurs. Attackers performing man-in-the-middle attacks can modify the insecure HTTP page, replacing the HTTPS form action with an HTTP endpoint or injecting malicious JavaScript to steal data before submission. Users cannot detect this tampering, and the initial HTTP request exposes session cookies that may allow further attacks.

Serve all pages containing forms over HTTPS, not just the form submission endpoints. Implement HTTPS for the entire site to eliminate mixed security contexts. Configure HTTP to HTTPS redirects at the server level, and deploy HTTP Strict Transport Security (HSTS) headers to force browsers to use HTTPS for all subsequent requests to your domain.