7.9 Ensure All Web Content is Accessed via HTTPS

Information

All of the website content should be served via HTTPS rather than HTTP. A redirect from the HTTP website to the HTTPS content is often useful and is recommended, but all significant content should be accessed via HTTPS so that it is authenticated and encrypted.

Rationale:

The usage of clear text HTTP prevents the client browser from authenticating the connection and ensuring the integrity of the website information. Without the HTTPS authentication, a client may be subjected to a variety of man-in-the-middle and spoofing attacks which would cause them to receive modified web content which could harm the organization's reputation. Through DNS attacks or malicious redirects, the client could arrive at a malicious website instead of the intended website. The malicious website could deliver malware, request credentials, or deliver false information.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to implement the recommended state:
Move the web content to a TLS enabled website, and add an HTTP Redirect directive to the Apache configuration file to redirect to the TLS enabled website similar to the example shown.

Redirect permanent / https://www.cisecurity.org/

Default Value:

The following are the default values:

TLS is not enabled by default.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|11, CSCv7|14.4

Plugin: Unix

Control ID: 2ee3c20cea3230776798fec29d1cb3046b7872bc988177f306941f332443e2ae