HTTPS to HTTP Insecure Transition in Form Post

This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they’re submitting data to a secure page when in fact they are not.

When a secure HTTPS page submits form data to an HTTP endpoint, the data transmits in cleartext despite the page appearing secure to users. Attackers intercept this unencrypted submission through man-in-the-middle attacks, capturing credentials, payment information, or personal data. The visual HTTPS indicator misleads users into a false sense of security, making them more likely to submit sensitive information that gets exposed.

Ensure all form action URLs use HTTPS protocol, especially for forms collecting sensitive data like credentials or payment information. Review and update form action attributes to use HTTPS endpoints. Implement Content Security Policy (CSP) headers that enforce secure connections, and consider using HTTP Strict Transport Security (HSTS) to prevent any HTTP connections to your domain.