logo

HTTPS Content Available via HTTP

  • Risk:
  • Low

  • Type:
  • Active
Summary

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

Solution

Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.

Other info
ZAP attempted to connect via: http://example.org/
References

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

https://owasp.org/www-community/Security_Headers

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://caniuse.com/stricttransportsecurity

https://datatracker.ietf.org/doc/html/rfc6797

Free security scan for your website