SSL/TLS Not Implemented
Description
The application is accessible over an unencrypted HTTP connection instead of HTTPS. Without SSL/TLS encryption, all data transmitted between the client and server travels in plaintext across the network, making it vulnerable to interception and manipulation by attackers positioned anywhere along the communication path.
Remediation
Implement SSL/TLS encryption to secure all communications between clients and the server. Configure your web server to redirect all HTTP traffic to HTTPS and obtain a valid SSL/TLS certificate from a trusted Certificate Authority (CA).
For Apache, add the following to your configuration:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
SSLCertificateChainFile /path/to/chain.crt
</VirtualHost>
For Nginx:
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
}
Additionally, implement HTTP Strict Transport Security (HSTS) headers to enforce HTTPS connections and consider enabling HSTS preloading for enhanced security.