HTTP to HTTPS Redirect Not Enabled

Medium Web Application Scanning Plugin ID 112544

Synopsis

HTTP to HTTPS Redirect Not Enabled

Description

HTTPS is enabled on the website however HTTP requests are not redirected to HTTPS. Communications are not encrypted if users doesn't explicitly access to HTTPS version of the website.

Solution

Enable HTTP to HTTPS redirect for all requests. Besides redirects if HTTP Strict Transport Security (HSTS) is not implemented it's highly recommended to enable it.

See Also

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Plugin Details

Severity: Medium

ID: 112544

Type: remote

Family: SSL/TLS

Published: 2019/02/12

Updated: 2019/02/12

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3.0

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference Information

WASC: Insufficient Transport Layer Protection

OWASP: 2010-A9, 2013-A6, 2017-A3