HTTPS Content Available via HTTP

https_content_available_via_http

Severity

low

Kind

Security Misconfiguration

CWE

311

Description

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

Rationale

When content is accessible via both HTTPS and HTTP, attackers can perform SSL stripping attacks to downgrade encrypted connections to plaintext. Users who access the HTTP version unknowingly expose their session cookies, credentials, and personal data to network eavesdroppers. Mixed availability undermines security guarantees, as attackers can redirect victims to the unencrypted version through DNS poisoning or malicious links.

Remediation

Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.

References

CWE-311
OWASP Top 10 2021 - A05:2021 : Security Misconfiguration
HTTP Strict Transport Security Cheat Sheet, in OWASP Cheat Sheet Series.
Security Headers
HTTP Strict Transport Security
stricttransportsecurity
RFC6797