SSL enforced¶
Description¶
This security best practice should be enforced by your organization, at least for your API routes.
Here are 4 risk examples when allowing unsecure HTTP
:
- Man in the Middle attacks: hackers can intercept and alter data from a legitimate request.
- Misuse of data: confidential information can be accessed by hackers.
- Downranking of websites: your website can be considered insecure by search engines and rated as not trustworthy.
- Loss of customers' trust: without a secure HTTPS padlock displayed on your website, users may rightfully consider it to be unsafe.
Using HSTS is not a solution to this problem, as it won't protect against MITM attacks and regular "public wifi sniffing" until connection has been upgraded to HTTPS. As recommended by Google, make sure that no cookies are being sent through HSTS.
Remediation¶
Enforce using HTTPS (using an SSL certificate) in order to protect your users' connections. In most cases, this must be done at ingress/(reverse-)proxy level.
- Kubernetes Ingress: Google Cloud documentation.
- Caddy: CaddyServer documentation.
- Nginx Reverse Proxy: Nginx documentation.
- Express: Node, Express, SSL Certificate: run HTTPS server from scratch in 5 steps.
- graphql-go/graphql: golang-tls.
If you are using Let's Encrypt certificates, make sure to authorize HTTPS to HTTPS redirections on the path /.well-known/acme-challenge/
to avoid any issues.
GraphQL Specific¶
Apollo
Ensure that the Apollo framework engine is configured to enforce SSL/TLS encryption for all incoming and outgoing connections to prevent data interception and man-in-the-middle attacks. This can typically be achieved by setting up HTTPS for your Apollo server and using secure WebSockets (WSS) for subscriptions.Yoga
Ensure that the Yoga framework engine is configured to enforce SSL/TLS for all connections to prevent data interception and man-in-the-middle attacks. This can typically be achieved by configuring the server to redirect all HTTP requests to HTTPS, setting up HSTS (HTTP Strict Transport Security), and ensuring that SSL certificates are valid and up-to-date. Additionally, consider implementing TLS 1.2 or higher for enhanced security.Awsappsync
Ensure that SSL is enforced for all data in transit to and from AWS AppSync by configuring the API to require HTTPS for all requests and by using AWS-managed certificates for SSL/TLS termination.Graphqlgo
Ensure that the GraphQL Go framework engine is configured to enforce SSL/TLS connections for all incoming and outgoing communications to prevent data interception and man-in-the-middle attacks. This can typically be achieved by setting up an SSL-enabled proxy in front of the application or by configuring the server to only accept secure connections. Additionally, consider implementing HSTS (HTTP Strict Transport Security) to enforce SSL/TLS usage for all clients.Graphqlruby
Ensure that SSL is enforced for all GraphQL Ruby framework engine connections to prevent data interception and man-in-the-middle attacks. Configure the server to redirect all HTTP requests to HTTPS and use SSL certificates from a trusted certificate authority. Additionally, set the 'force_ssl' configuration option to 'true' in the environment configuration file to enforce SSL usage.Hasura
Ensure that SSL is enforced for all connections to the Hasura GraphQL engine by setting the environment variable `HASURA_GRAPHQL_SSL_CERT_DIR` to the directory containing your SSL certificates. Additionally, configure your reverse proxy or load balancer to only accept secure HTTPS connections.REST Specific¶
Asp_net
Implement SSL/TLS to encrypt all data in transit. Ensure all ASP.NET applications redirect HTTP traffic to HTTPS, utilize the `RequireHttpsAttribute` for MVC controllers, and set `Strict-Transport-Security` headers to enforce HSTS, while ensuring cookies have the `secure` flag set to prevent transmission over unencrypted connections.Ruby_on_rails
In Ruby on Rails, enforce SSL by setting 'config.force_ssl = true' in the 'config/environments/production.rb' file. This will ensure that all access to your application's routes is over HTTPS, redirecting any HTTP requests to HTTPS, and securing your data with SSL/TLS encryption.Next_js
Implement SSL/TLS to ensure all data transmitted between the Next.js server and clients is encrypted. Configure your server to redirect all HTTP traffic to HTTPS and use HSTS to enforce SSL. Update all internal links to use HTTPS and set secure attributes on cookies.Laravel
In Laravel, enforce SSL by adding a middleware that redirects all HTTP requests to HTTPS. Use the 'forceScheme' method on the URL facade within the middleware to ensure all generated URLs are HTTPS. Additionally, set the 'SECURE_COOKIES' environment variable to true to make all cookies secure by default.Express_js
Implement SSL/TLS encryption for all Express.js routes by configuring the server to only serve content over HTTPS. Acquire and install an SSL certificate, redirect all HTTP traffic to HTTPS, and use the 'helmet' middleware to set HTTP headers for security, including HSTS, to prevent any non-encrypted connections.Django
In Django, ensure SSL/TLS is enforced by setting the 'SECURE_SSL_REDIRECT' to 'True' in your settings.py file. This will redirect all HTTP requests to HTTPS. Additionally, set 'SESSION_COOKIE_SECURE' and 'CSRF_COOKIE_SECURE' to 'True' to prevent cookies from being transmitted over non-HTTPS connections. Use Django's built-in '@require_https' decorator for views that require SSL. For added security, consider implementing HSTS by setting 'SECURE_HSTS_SECONDS', 'SECURE_HSTS_INCLUDE_SUBDOMAINS', and 'SECURE_HSTS_PRELOAD' appropriately.Symfony
In Symfony, enforce SSL by configuring your web server to redirect all HTTP traffic to HTTPS. Additionally, set the 'security.yml' to require HTTPS for all routes by using the 'requires_channel: https' under your firewall settings. Implement HSTS by adding the 'Strict-Transport-Security' header in your response. This ensures all data is encrypted during transit, protecting against eavesdropping and tampering.Spring_boot
In Spring Boot applications, enforce SSL by configuring the server to redirect all HTTP requests to HTTPS. This can be achieved by setting the 'security.require-ssl=true' property in the application.properties file or by implementing a WebSecurityConfigurerAdapter that redirects all incoming HTTP requests to HTTPS. Additionally, use the '@EnableWebSecurity' annotation to activate security features and configure HSTS headers to instruct browsers to only communicate over HTTPS.Flask
In Flask, ensure SSL/TLS is enforced by redirecting all HTTP requests to HTTPS. Use the 'Flask-Talisman' extension to set strict HTTPS-only transport security headers and manage secure cookies. Configure your web server to handle SSL termination and always serve your Flask application over a secure connection.Nuxt
Ensure all Nuxt.js applications are configured to use HTTPS by default. Set up a permanent redirect from HTTP to HTTPS to prevent any unencrypted traffic. Utilize the `server.https` option in `nuxt.config.js` to specify the SSL certificate and key, and consider implementing HSTS headers to enforce secure connections. Regularly update your SSL certificates and use strong encryption protocols to maintain the highest level of security.Fastapi
In FastAPI, ensure all API routes are configured to use HTTPS by setting up SSL/TLS certificates. Redirect all HTTP traffic to HTTPS and implement HSTS headers to enforce secure connections. Avoid sending sensitive data over unencrypted channels and consider using middleware to automate HTTPS redirection.Configuration¶
Identifier:
protocol/ssl
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
-
OWASP: API2:2023
-
pci: 4.1
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.1
- nist: SP800-53
- fedramp: AC-17
Classification¶
- CWE: 319
Score¶
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 7.2