Skip to content

Security Test: Frontend SSL enforced

Description

Default Severity:

When you let a connection start with plain HTTP instead of forcing HTTPS from the beginning, you open up a gap where attackers can intercept and potentially modify data before it becomes secure. This creates a risk where sensitive information can be exposed or tampered with, leading to data misuse, loss of trust, and even penalties from search engines. Many developers mistakenly rely on measures that only secure the connection after it's already been established, which leaves that initial link open to man-in-the-middle attacks. The key takeaway is ensuring every connection is encrypted from the start to prevent these vulnerabilities.

Reference:

Configuration

Identifier: frontend_protocol/ssl

Examples

All configuration available:

checks:
  frontend_protocol/ssl:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API2:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 4.1
GDPR Article-32
SOC2 CC1
PSD2 Article-95
ISO 27001 A.14.1
NIST SP800-53
FedRAMP AC-17
CWE 319
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
CVSS Score 7.2