Insecure HTTP Usage
Description
The web application is accessible over unencrypted HTTP connections without automatically redirecting users to the secure HTTPS version. This means users can access and interact with the application over an insecure channel, potentially exposing sensitive data during transmission.
Remediation
Implement automatic HTTP to HTTPS redirection to ensure all traffic uses encrypted connections. This should be configured at the web server level to redirect all HTTP requests (port 80) to their HTTPS equivalents (port 443) using a 301 (permanent) or 302 (temporary) redirect status code.
For Apache, add to your virtual host configuration:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]For Nginx, add to your server block:
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}For application-level implementations, ensure the redirect occurs before any sensitive data is processed. Additionally, implement HTTP Strict Transport Security (HSTS) headers to instruct browsers to only use HTTPS for future requests.