Protocol: SSL enforced¶

Identifier: ssl

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

If your API routes allow plain HTTP, an attacker can intercept the data before the connection is even secured. This means sensitive info could be taken or altered in real time, potentially leading to misuse of data, harming your reputation, and hurting your site's search ranking. Many developers mistakenly rely on mechanisms like HSTS to secure their site, but these tools only work after an HTTPS connection is already established. The root problem is not forcing secure HTTPS from the start, leaving that initial connection exposed to potential man-in-the-middle attacks.

References:

https://developers.google.com/search/docs/advanced/security/https

Configuration¶

Example¶

Example configuration:

---
security_tests:
  ssl:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.