Details
Alert ID 10047
Alert Type Active
Status beta
Risk Low
CWE 311
WASC 4
Technologies Targeted All
Tags CWE-311
OWASP_2017_A06
OWASP_2021_A05
POLICY_QA_FULL
WSTG-V42-CRYP-03
More Info Scan Rule Help

Summary

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

Solution

Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.

Other Info

ZAP attempted to connect via: http://example.org/

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/HttpsAsHttpScanRule.java