Security Test: Frontend SSL enforced¶

Description¶

Default Severity:

When you let a connection start with plain HTTP instead of forcing HTTPS from the beginning, you open up a gap where attackers can intercept and potentially modify data before it becomes secure. This creates a risk where sensitive information can be exposed or tampered with, leading to data misuse, loss of trust, and even penalties from search engines. Many developers mistakenly rely on measures that only secure the connection after it's already been established, which leaves that initial link open to man-in-the-middle attacks. The key takeaway is ensuring every connection is encrypted from the start to prevent these vulnerabilities.

Reference:

https://developers.google.com/search/docs/advanced/security/https

Configuration¶

Identifier: frontend_protocol/ssl

Examples¶

All configuration available:

checks:
  frontend_protocol/ssl:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API2:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`4.1`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.1`
NIST	`SP800-53`
FedRAMP	`AC-17`
CWE	`319`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`7.2`