Password transmitted over HTTP
Description
This vulnerability occurs when a web application transmits user authentication credentials (usernames and passwords) over an unencrypted HTTP connection instead of HTTPS. Without encryption, credentials are sent in plain text across the network, making them vulnerable to interception. All authentication forms and login mechanisms must use HTTPS to protect sensitive user data during transmission.
Remediation
Implement the following measures to ensure credentials are transmitted securely:
1. Enforce HTTPS for all pages - Configure your web server to redirect all HTTP requests to HTTPS, especially for login pages and any forms handling credentials.
2. Update form actions - Ensure all authentication forms submit to HTTPS endpoints:
<form action="https://example.com/login" method="POST"> <input type="text" name="username" /> <input type="password" name="password" /> <button type="submit">Login</button> </form>
3. Enable HTTP Strict Transport Security (HSTS) - Add the HSTS header to force browsers to use HTTPS:
Strict-Transport-Security: max-age=31536000; includeSubDomains
4. Obtain and install a valid SSL/TLS certificate - Use certificates from trusted Certificate Authorities or free services like Let's Encrypt.
5. Disable HTTP access entirely - If possible, configure your web server to only accept HTTPS connections on port 443 and disable port 80, or configure port 80 to immediately redirect to HTTPS.