SSL enforced¶

Description¶

This security best practice should be enforced by your organization, at least for your API routes.

Here are 4 risk examples when allowing unsecure HTTP:

Man in the Middle attacks: hackers can intercept and alter data from a legitimate request.
Misuse of data: confidential information can be accessed by hackers.
Downranking of websites: your website can be considered insecure by search engines and rated as not trustworthy.
Loss of customers' trust: without a secure HTTPS padlock displayed on your website, users may rightfully consider it to be unsafe.

Using HSTS is not a solution to this problem, as it won't protect against MITM attacks and regular "public wifi sniffing" until connection has been upgraded to HTTPS.

As recommended by Google, make sure that no cookies are being sent through HSTS.

Remediation¶

Enforce using HTTPS (using an SSL certificate) in order to protect your users' connections.

In most cases, this must be done at ingress/(reverse-)proxy level.

Kubernetes Ingress: Google Cloud documentation.
Caddy: CaddyServer documentation.
Nginx Reverse Proxy: Nginx documentation.
Express: Node, Express, SSL Certificate: run HTTPS server from scratch in 5 steps.
graphql-go/graphql: golang-tls.

If you are using Let's Encrypt certificates, make sure to authorize HTTPS to HTTPS redirections on the path /.well-known/acme-challenge/ to avoid any issues.

GraphQL Specific¶

Apollo

Ensure that the Apollo framework engine is configured to enforce SSL/TLS encryption for all incoming and outgoing connections to prevent data interception and man-in-the-middle attacks. This can typically be achieved by setting up HTTPS for your Apollo server and using secure WebSockets (WSS) for subscriptions.

Yoga

Ensure that the Yoga framework engine is configured to enforce SSL/TLS for all connections to prevent data interception and man-in-the-middle attacks. This can typically be achieved by configuring the server to redirect all HTTP requests to HTTPS, setting up HSTS (HTTP Strict Transport Security), and ensuring that SSL certificates are valid and up-to-date. Additionally, consider implementing TLS 1.2 or higher for enhanced security.

Awsappsync

Ensure that SSL is enforced for all data in transit to and from AWS AppSync by configuring the API to require HTTPS for all requests and by using AWS-managed certificates for SSL/TLS termination.

Graphqlgo

Ensure that the GraphQL Go framework engine is configured to enforce SSL/TLS connections for all incoming and outgoing communications to prevent data interception and man-in-the-middle attacks. This can typically be achieved by setting up an SSL-enabled proxy in front of the application or by configuring the server to only accept secure connections. Additionally, consider implementing HSTS (HTTP Strict Transport Security) to enforce SSL/TLS usage for all clients.

Graphqlruby

Ensure that SSL is enforced for all GraphQL Ruby framework engine connections to prevent data interception and man-in-the-middle attacks. Configure the server to redirect all HTTP requests to HTTPS and use SSL certificates from a trusted certificate authority. Additionally, set the 'force_ssl' configuration option to 'true' in the environment configuration file to enforce SSL usage.

Hasura

Ensure that SSL is enforced for all connections to the Hasura GraphQL engine by setting the environment variable `HASURA_GRAPHQL_SSL_CERT_DIR` to the directory containing your SSL certificates. Additionally, configure your reverse proxy or load balancer to only accept secure HTTPS connections.

Agoo

Enforce SSL for all API routes in the Agoo framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks and data misuse.

Ariadne

Ensure SSL is enforced for all API routes in the Ariadne framework to prevent data interception and maintain user trust.

Caliban

Enforce HTTPS for all API routes in the Caliban framework to prevent data interception and ensure secure communication.

Dgraph

Enforce SSL/TLS for all Dgraph API endpoints to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks and data misuse.

Dianajl

Enforce SSL/TLS for all API routes in the DianaJL framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks and data misuse.

Directus

Ensure SSL is enforced for all Directus API routes to prevent data interception and enhance security.

Flutter

Ensure all network requests in your Flutter application use HTTPS by configuring the HTTP client to enforce SSL/TLS connections, and validate SSL certificates to prevent man-in-the-middle attacks.

Graphene

Ensure SSL is enforced for all API routes in the Graphene framework to prevent data interception and maintain user trust.

Graphqlapiforwp

Enforce HTTPS for all GraphQL API routes in the GraphQL API for WordPress framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks.

Graphqlgophergo

Ensure SSL/TLS is enforced for all GraphQL endpoints in the GopherGo framework to prevent data interception and enhance security.

Graphqljava

Enforce HTTPS for all GraphQL API endpoints in the graphql-java framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks.

Graphqlphp

Ensure SSL/TLS is enforced for all GraphQL API endpoints in the graphqlphp framework to prevent data interception and enhance security.

Graphqlyoga

Enforce HTTPS for all GraphQL Yoga API endpoints to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks and data misuse.

Hypergraphql

Enforce HTTPS for all API endpoints in the HyperGraphQL framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks.

Jaal

Ensure SSL is enforced for all API routes in the Jaal framework to prevent data interception and enhance security.

Juniper

Enforce SSL/TLS for all API routes in the Juniper framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks and data misuse.

Lacinia

Ensure that all API routes in the Lacinia framework are configured to enforce SSL/TLS connections to prevent data interception and enhance security.

Lighthouse

Ensure all API routes enforce SSL to prevent data interception and enhance security.

Mercurius

Ensure SSL is enforced for all API routes in the Mercurius framework to prevent data interception and enhance security.

Morpheusgraphql

Ensure SSL/TLS is enforced for all Morpheus GraphQL API endpoints to protect data integrity and confidentiality. This prevents potential security risks such as Man in the Middle attacks and data misuse, while also maintaining user trust and search engine ranking.

Qglgen

Ensure SSL/TLS is enforced for all qglgen API routes to prevent data interception and enhance security.

Sangria

Ensure all API endpoints in the Sangria framework are served over HTTPS to prevent data interception and enhance security.

Shopify

Ensure all Shopify store connections are secured with HTTPS to protect customer data and maintain trust.

Stepzen

Ensure all API endpoints in the StepZen framework are configured to use HTTPS to prevent data interception and enhance security.

Strawberry

Enforce SSL/TLS for all API routes in the Strawberry framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks.

Tartiflette

Enforce SSL/TLS for all API routes in the Tartiflette framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks.

Wpgraphql

Ensure SSL is enforced for all WPGraphQL API endpoints to protect data integrity and user privacy.

REST Specific¶

Asp_net

Implement SSL/TLS to encrypt all data in transit. Ensure all ASP.NET applications redirect HTTP traffic to HTTPS, utilize the `RequireHttpsAttribute` for MVC controllers, and set `Strict-Transport-Security` headers to enforce HSTS, while ensuring cookies have the `secure` flag set to prevent transmission over unencrypted connections.

Ruby_on_rails

In Ruby on Rails, enforce SSL by setting 'config.force_ssl = true' in the 'config/environments/production.rb' file. This will ensure that all access to your application's routes is over HTTPS, redirecting any HTTP requests to HTTPS, and securing your data with SSL/TLS encryption.

Next_js

Implement SSL/TLS to ensure all data transmitted between the Next.js server and clients is encrypted. Configure your server to redirect all HTTP traffic to HTTPS and use HSTS to enforce SSL. Update all internal links to use HTTPS and set secure attributes on cookies.

Laravel

In Laravel, enforce SSL by adding a middleware that redirects all HTTP requests to HTTPS. Use the 'forceScheme' method on the URL facade within the middleware to ensure all generated URLs are HTTPS. Additionally, set the 'SECURE_COOKIES' environment variable to true to make all cookies secure by default.

Express_js

Implement SSL/TLS encryption for all Express.js routes by configuring the server to only serve content over HTTPS. Acquire and install an SSL certificate, redirect all HTTP traffic to HTTPS, and use the 'helmet' middleware to set HTTP headers for security, including HSTS, to prevent any non-encrypted connections.

Django

In Django, ensure SSL/TLS is enforced by setting the 'SECURE_SSL_REDIRECT' to 'True' in your settings.py file. This will redirect all HTTP requests to HTTPS. Additionally, set 'SESSION_COOKIE_SECURE' and 'CSRF_COOKIE_SECURE' to 'True' to prevent cookies from being transmitted over non-HTTPS connections. Use Django's built-in '@require_https' decorator for views that require SSL. For added security, consider implementing HSTS by setting 'SECURE_HSTS_SECONDS', 'SECURE_HSTS_INCLUDE_SUBDOMAINS', and 'SECURE_HSTS_PRELOAD' appropriately.

Symfony

In Symfony, enforce SSL by configuring your web server to redirect all HTTP traffic to HTTPS. Additionally, set the 'security.yml' to require HTTPS for all routes by using the 'requires_channel: https' under your firewall settings. Implement HSTS by adding the 'Strict-Transport-Security' header in your response. This ensures all data is encrypted during transit, protecting against eavesdropping and tampering.

Spring_boot

In Spring Boot applications, enforce SSL by configuring the server to redirect all HTTP requests to HTTPS. This can be achieved by setting the 'security.require-ssl=true' property in the application.properties file or by implementing a WebSecurityConfigurerAdapter that redirects all incoming HTTP requests to HTTPS. Additionally, use the '@EnableWebSecurity' annotation to activate security features and configure HSTS headers to instruct browsers to only communicate over HTTPS.

Flask

In Flask, ensure SSL/TLS is enforced by redirecting all HTTP requests to HTTPS. Use the 'Flask-Talisman' extension to set strict HTTPS-only transport security headers and manage secure cookies. Configure your web server to handle SSL termination and always serve your Flask application over a secure connection.

Nuxt

Ensure all Nuxt.js applications are configured to use HTTPS by default. Set up a permanent redirect from HTTP to HTTPS to prevent any unencrypted traffic. Utilize the `server.https` option in `nuxt.config.js` to specify the SSL certificate and key, and consider implementing HSTS headers to enforce secure connections. Regularly update your SSL certificates and use strong encryption protocols to maintain the highest level of security.

Fastapi

In FastAPI, ensure all API routes are configured to use HTTPS by setting up SSL/TLS certificates. Redirect all HTTP traffic to HTTPS and implement HSTS headers to enforce secure connections. Avoid sending sensitive data over unencrypted channels and consider using middleware to automate HTTPS redirection.

Frappe

Enforce SSL/TLS for all Frappe Framework API routes to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks and data misuse.

Genzio

Ensure all API routes in the Genzio framework engine enforce SSL to prevent data interception and enhance security.

Gin

Enforce HTTPS by using the `gin.Default()` function and setting up a TLS server with `ListenAndServeTLS` to ensure all API routes are secure. Redirect HTTP requests to HTTPS to prevent unsecure connections.

Gorilla

Enforce SSL/TLS for all API routes in the Gorilla framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks.

Hapi

Enforce HTTPS by using the 'hapi-tls' plugin to configure TLS settings for your Hapi server, ensuring all API routes are served over a secure connection.

Hono

Enforce SSL/TLS for all API routes in the Hono framework to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks and data misuse.

Jersey

Enforce HTTPS in the Jersey framework by configuring your server to redirect all HTTP traffic to HTTPS and ensure that all API endpoints are accessible only via HTTPS. This can be achieved by setting up SSL/TLS certificates and configuring your web server (e.g., Apache, Nginx) or application server (e.g., Tomcat, Jetty) to support HTTPS. Additionally, update your Jersey application to use secure URLs and verify that all external resources are accessed securely.

Koa

Enforce HTTPS by using middleware in the Koa framework to redirect all HTTP requests to HTTPS, ensuring secure communication for your API routes.

Ktor

Enforce SSL/TLS in Ktor by configuring the server to use HTTPS. Ensure that all API routes are only accessible via HTTPS by setting up an SSL engine with a valid certificate. This can be done by using the `Netty` or `CIO` engine and specifying the `sslConnector` in the server configuration. Additionally, redirect all HTTP traffic to HTTPS to prevent any unsecured access.

Leptos

Enforce HTTPS for all API routes in the Leptos framework to prevent data interception and ensure secure communication.

Macaron

Enforce HTTPS by using the macaron framework's built-in middleware to redirect all HTTP requests to HTTPS, ensuring secure communication for your API routes.

Phoenix

Enforce HTTPS by configuring your Phoenix application to redirect all HTTP requests to HTTPS using the `force_ssl` option in your endpoint configuration. This ensures secure communication and protects against potential security risks associated with unencrypted data transmission.

Redwoodjs

Enforce HTTPS for all API routes in your RedwoodJS application by configuring your server to redirect all HTTP traffic to HTTPS. This ensures secure data transmission and protects against potential security threats such as Man in the Middle attacks.

Rocket

Enforce SSL/TLS for all Rocket framework routes to ensure secure data transmission and protect against potential security threats such as Man in the Middle attacks.

Sveltekit

Enforce HTTPS in your SvelteKit application by configuring your server to redirect all HTTP traffic to HTTPS. Ensure that your server is set up with a valid SSL certificate and update your SvelteKit configuration to use secure cookies and connections. This will protect your API routes and user data from potential security threats.

Configuration¶

Identifier: protocol/ssl

Examples¶

Ignore this check¶

checks:
  protocol/ssl:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API2:2023
OWASP LLM: LLM06:2023
pci: 4.1
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.1
nist: SP800-53
fedramp: AC-17

Classification¶

CWE: 319

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 7.2

References¶

https://developers.google.com/search/docs/advanced/security/https