Skip to main content

SSL enforced

Description

This security best practice should be enforced by your organization, at least for your API routes.

Here are 4 risk examples when allowing unsecure HTTP:

  • Man in the Middle attacks: hackers can intercept and alter data from a legitimate request.
  • Misuse of data: confidential information can be accessed by hackers.
  • Downranking of websites: your website can be considered insecure by search engines and rated as not trustworthy.
  • Loss of customers' trust: without a secure HTTPS padlock displayed on your website, users may rightfully consider it to be unsafe.

Using HSTS is not a solution to this problem, as it won't protect against MITM attacks and regular "public wifi sniffing" until connection has been upgraded to HTTPS. As recommended by Google, make sure that no cookies are being sent through HSTS.

Remediation

Enforce using HTTPS (using an SSL certificate) in order to protect your users' connections. In most cases, this must be done at ingress/(reverse-)proxy level.

If you are using Let's Encrypt certificates, make sure to authorize HTTPS to HTTPS redirections on the path /.well-known/acme-challenge/ to avoid any issues.

GraphQL Specific

Apollo

Ensure that the Apollo framework engine is configured to enforce SSL/TLS encryption for all incoming and outgoing connections to prevent data interception and man-in-the-middle attacks. This can typically be achieved by setting up HTTPS for your Apollo server and using secure WebSockets (WSS) for subscriptions.

Yoga

Ensure that the Yoga framework engine is configured to enforce SSL/TLS for all connections to prevent data interception and man-in-the-middle attacks. This can typically be achieved by configuring the server to redirect all HTTP requests to HTTPS, setting up HSTS (HTTP Strict Transport Security), and ensuring that SSL certificates are valid and up-to-date. Additionally, consider implementing TLS 1.2 or higher for enhanced security.

Awsappsync

Ensure that SSL is enforced for all data in transit to and from AWS AppSync by configuring the API to require HTTPS for all requests and by using AWS-managed certificates for SSL/TLS termination.

Graphqlgo

Ensure that the GraphQL Go framework engine is configured to enforce SSL/TLS connections for all incoming and outgoing communications to prevent data interception and man-in-the-middle attacks. This can typically be achieved by setting up an SSL-enabled proxy in front of the application or by configuring the server to only accept secure connections. Additionally, consider implementing HSTS (HTTP Strict Transport Security) to enforce SSL/TLS usage for all clients.

Graphqlruby

Ensure that SSL is enforced for all GraphQL Ruby framework engine connections to prevent data interception and man-in-the-middle attacks. Configure the server to redirect all HTTP requests to HTTPS and use SSL certificates from a trusted certificate authority. Additionally, set the 'force_ssl' configuration option to 'true' in the environment configuration file to enforce SSL usage.

Hasura

Ensure that SSL is enforced for all connections to the Hasura GraphQL engine by setting the environment variable HASURA_GRAPHQL_SSL_CERT_DIR to the directory containing your SSL certificates. Additionally, configure your reverse proxy or load balancer to only accept secure HTTPS connections.

REST Specific

Asp_net

Implement SSL/TLS to encrypt all data in transit. Ensure all ASP.NET applications redirect HTTP traffic to HTTPS, utilize the RequireHttpsAttribute for MVC controllers, and set Strict-Transport-Security headers to enforce HSTS, while ensuring cookies have the secure flag set to prevent transmission over unencrypted connections.

Ruby_on_rails

In Ruby on Rails, enforce SSL by setting 'config.force_ssl = true' in the 'config/environments/production.rb' file. This will ensure that all access to your application's routes is over HTTPS, redirecting any HTTP requests to HTTPS, and securing your data with SSL/TLS encryption.

Next_js

Implement SSL/TLS to ensure all data transmitted between the Next.js server and clients is encrypted. Configure your server to redirect all HTTP traffic to HTTPS and use HSTS to enforce SSL. Update all internal links to use HTTPS and set secure attributes on cookies.

Laravel

In Laravel, enforce SSL by adding a middleware that redirects all HTTP requests to HTTPS. Use the 'forceScheme' method on the URL facade within the middleware to ensure all generated URLs are HTTPS. Additionally, set the 'SECURE_COOKIES' environment variable to true to make all cookies secure by default.

Express_js

Implement SSL/TLS encryption for all Express.js routes by configuring the server to only serve content over HTTPS. Acquire and install an SSL certificate, redirect all HTTP traffic to HTTPS, and use the 'helmet' middleware to set HTTP headers for security, including HSTS, to prevent any non-encrypted connections.

Django

In Django, ensure SSL/TLS is enforced by setting the 'SECURE_SSL_REDIRECT' to 'True' in your settings.py file. This will redirect all HTTP requests to HTTPS. Additionally, set 'SESSION_COOKIE_SECURE' and 'CSRF_COOKIE_SECURE' to 'True' to prevent cookies from being transmitted over non-HTTPS connections. Use Django's built-in '@require_https' decorator for views that require SSL. For added security, consider implementing HSTS by setting 'SECURE_HSTS_SECONDS', 'SECURE_HSTS_INCLUDE_SUBDOMAINS', and 'SECURE_HSTS_PRELOAD' appropriately.

Symfony

In Symfony, enforce SSL by configuring your web server to redirect all HTTP traffic to HTTPS. Additionally, set the 'security.yml' to require HTTPS for all routes by using the 'requires_channel: https' under your firewall settings. Implement HSTS by adding the 'Strict-Transport-Security' header in your response. This ensures all data is encrypted during transit, protecting against eavesdropping and tampering.

Spring_boot

In Spring Boot applications, enforce SSL by configuring the server to redirect all HTTP requests to HTTPS. This can be achieved by setting the 'security.require-ssl=true' property in the application.properties file or by implementing a WebSecurityConfigurerAdapter that redirects all incoming HTTP requests to HTTPS. Additionally, use the '@EnableWebSecurity' annotation to activate security features and configure HSTS headers to instruct browsers to only communicate over HTTPS.

Flask

In Flask, ensure SSL/TLS is enforced by redirecting all HTTP requests to HTTPS. Use the 'Flask-Talisman' extension to set strict HTTPS-only transport security headers and manage secure cookies. Configure your web server to handle SSL termination and always serve your Flask application over a secure connection.

Nuxt

Ensure all Nuxt.js applications are configured to use HTTPS by default. Set up a permanent redirect from HTTP to HTTPS to prevent any unencrypted traffic. Utilize the server.https option in nuxt.config.js to specify the SSL certificate and key, and consider implementing HSTS headers to enforce secure connections. Regularly update your SSL certificates and use strong encryption protocols to maintain the highest level of security.

Fastapi

In FastAPI, ensure all API routes are configured to use HTTPS by setting up SSL/TLS certificates. Redirect all HTTP traffic to HTTPS and implement HSTS headers to enforce secure connections. Avoid sending sensitive data over unencrypted channels and consider using middleware to automate HTTPS redirection.

Configuration

Identifier: protocol/ssl

Examples

Ignore this check

checks:
  protocol/ssl:
    skip: true

Score

  • Escape Severity: MEDIUM

Compliance

  • OWASP: API2:2023
  • pci: 4.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.1
  • nist: SP800-53
  • fedramp: AC-17

Classification

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References