Details | |
---|---|
Alert ID | 10047 |
Alert Type | Active |
Status | beta |
Risk | Low |
CWE | 311 |
WASC | 4 |
Technologies Targeted | All |
Tags |
CWE-311 OWASP_2017_A06 OWASP_2021_A05 POLICY_QA_FULL WSTG-V42-CRYP-03 |
More Info |
Scan Rule Help |
Summary
Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).
Solution
Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.Other Info
ZAP attempted to connect via: http://example.org/References
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
- https://owasp.org/www-community/Security_Headers
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://caniuse.com/stricttransportsecurity
- https://datatracker.ietf.org/doc/html/rfc6797