| Details | |
|---|---|
| Alert Id | 10047 |
| Alert Type | Active |
| Status | beta |
| Risk | Low |
| CWE | 311 |
| WASC | 4 |
| Technologies Targeted | All |
| Tags |
OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-CRYP-03 |
Summary
Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).
Solution
Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.Other Info
References
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
- https://owasp.org/www-community/Security_Headers
- http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- http://caniuse.com/stricttransportsecurity
- http://tools.ietf.org/html/rfc6797