Security Test: SSL enforced¶

Description¶

Default Severity:

If your API routes allow plain HTTP, an attacker can intercept the data before the connection is even secured. This means sensitive info could be taken or altered in real time, potentially leading to misuse of data, harming your reputation, and hurting your site's search ranking. Many developers mistakenly rely on mechanisms like HSTS to secure their site, but these tools only work after an HTTPS connection is already established. The root problem is not forcing secure HTTPS from the start, leaving that initial connection exposed to potential man-in-the-middle attacks.

Reference:

https://developers.google.com/search/docs/advanced/security/https

Configuration¶

Identifier: protocol/ssl

Examples¶

All configuration available:

checks:
  protocol/ssl:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API2:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`4.1`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.1`
NIST	`SP800-53`
FedRAMP	`AC-17`
CWE	`319`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`7.2`