7.9 Ensure All Web Content is Accessed via HTTPS

Information

All of the website content should be served via HTTPS rather than HTTP. A redirect from the HTTP website to the HTTPS content is often useful and is recommended, but all significant content should be accessed via HTTPS so that it is authenticated and encrypted.

Rationale:

The usage of clear text HTTP prevents the client browser from authenticating the connection and ensuring the integrity of the website information. Without the HTTPS authentication, a client may be subjected to a variety of man-in-the-middle and spoofing attacks which would cause them to receive modified web content which could harm the organization's reputation. Through DNS attacks or malicious redirects, the client could arrive at a malicious website instead of the intended website. The malicious website could deliver malware, request credentials, or deliver false information.

Solution

Perform the following to implement the recommended state:

Move the web content to a TLS enabled website, and add an HTTP 'Redirect' directive to the Apache configuration file to redirect to the TLS enabled website similar to the example shown.

Redirect permanent / https://www.cisecurity.org/

See Also

https://workbench.cisecurity.org/files/2381