HTTP to HTTPS Redirect Not Enabled

medium Web App Scanning Plugin ID 112544

Synopsis

HTTP to HTTPS Redirect Not Enabled

Description

HTTPS is enabled on the website however HTTP requests are not redirected to HTTPS. Communications are not encrypted if users doesn't explicitly access to HTTPS version of the website.

Note: This plugin does not handle customs ports, and therefore only performs checks when a scan is run on standard ports (80/443).

Solution

Enable HTTP to HTTPS redirect for all requests. Besides redirects if HTTP Strict Transport Security (HSTS) is not implemented it's highly recommended to enable it.

See Also

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Plugin Details

Severity: Medium

ID: 112544

Type: remote

Family: SSL/TLS

Published: 2/12/2019

Updated: 9/6/2024

Scan Template: api, basic, config_audit, full, pci, quick, scan, ssl_tls

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information