Insecure transition from HTTPS to HTTP in form post
Description
A form on an HTTPS-secured page is configured to submit data to an HTTP (unencrypted) endpoint. When users submit the form, their data is transmitted in cleartext over the network, even though the page itself is served over a secure connection. This creates a false sense of security, as users typically expect all data transmission to be encrypted when they see HTTPS indicators in their browser.
Remediation
Update the form's action attribute to use HTTPS instead of HTTP. Ensure that the entire user workflow, from initial page load through form submission and response, occurs over encrypted connections.
Example fix:
<!-- Insecure - DO NOT USE --> <form action="http://example.com/submit" method="POST"> <input type="text" name="username" /> <input type="password" name="password" /> <button type="submit">Login</button> </form> <!-- Secure - Use HTTPS --> <form action="https://example.com/submit" method="POST"> <input type="text" name="username" /> <input type="password" name="password" /> <button type="submit">Login</button> </form>
Additionally, implement HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks and enforce HTTPS across your entire application.