Details
Alert Id 10047
Alert Type Active
Status beta
Risk Low
CWE 311
WASC 4
Tags OWASP_2017_A06
OWASP_2021_A05
WSTG-V42-CRYP-03

Summary

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

Solution

Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/HttpsAsHttpScanRule.java