CWE-1428
Reliance on HTTP instead of HTTPS
AI Translation Available
The product provides or relies on use of HTTP communications when HTTPS is available.
Status
incomplete
Abstraction
base
Affected Platforms
Extended Description
AI Translation
Because HTTP communications are not encrypted, HTTP is subject to various attacks against confidentiality, integrity, and authenticity. However, unlike many other protocols, HTTPS is widely available as a more secure alternative, because it uses encryption.
Technical Details
AI Translation
Common Consequences
confidentiality
integrity
Impacts
read application data
modify application data
Potential Mitigations
Phases:
architecture and design
implementation
operation
Descriptions:
•
Explicitly require HTTPS or another mechanism that ensures that communication is encrypted [REF-1464].
•
Perform "HTTPS forcing," that is, redirecting HTTP requests to HTTPS.
•
Avoid using "mixed content," i.e., serving a web page over HTTPS in which the page includes elements that use "http:" URLs [REF-1466] [REF-1467]. This is often done for images or other resources that do not seem to have privacy or security implications.
•
If the product supports multiple protocols, ensure that encrypted protocols (such as HTTPS) are required, and remove any unencrypted protocols (such as HTTP).