Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Remediating HTTPS to HTTP Redirects

Erin Conry

HTTPS to HTTP Redirects are scanned as part of the Security Misconfiguration Vulnerabilities Security Tests used to evaluate the Web Application Security Risk Vector.

This security test assesses whether there is an insecure redirect, from a secure location (HTTPS) to an insecure one (HTTP) in the redirect chain.

Need to fix?

  • Ensure your website does not redirect users from a secure (HTTPS) page to an insecure (HTTP) page.
  • Review your server and application configurations for any redirects that downgrade security.
  • Update all redirects to point to HTTPS destinations only.
  • Test your site by navigating to HTTPS URLs and confirming no redirect to HTTP occurs.

You can use tools like Chrome Developer Tools to identify any insecure redirects, allowing you to pinpoint and resolve these issues quickly.

How do I check if a HTTPS to HTTP redirect has been fixed?

After the insecure redirect is addressed and once we rescanned the web application, check in Bitsight if that specific hostname where the insecure redirect was detected no longer presents evidence of insecure redirects.

What is the risk? When performing an insecure redirect, any sensitive information that might have previously been transmitted as encrypted may be accessible without encryption.

How are the HTTPS to HTTP redirects detected? We check all the redirects that occur from the initial domain to the final one and flag any redirects that are insecure.

How can I check the HTTPS to HTTP redirects in my web application? In Bitsight, check the Evidence tab for an HTTPS to HTTP redirect finding (check the Responses detail) for information about the complete redirect chain, which that allows to understand the issue:

  • The first domain in the redirect chain where the connection started.
  • The HTTPS domain where the insecure redirect happens. The next redirect is to an insecure domain; this will be the domain used to generate a finding (the finding evidence).
  • The insecure domain to which the connection is redirected.

Depending on the website configurations, different initial domains can lead to different behaviors that might not always result in insecure redirects. Always refer to the first domain in the redirect chain to follow the chain of redirects that lead to the insecure behavior.

It may also be useful to use Chrome Developer Tools, starting a browser navigation from the first domain indicated in the evidence. Then, use the Network tab to confirm there is a redirect from an HTTPS address to the address indicated in the Value in the Evidence, which is HTTP.

Does this impact my WAS Risk Vector Grade? Yes.

Possible Grades:

  • Bad: All HTTPS to HTTP Redirect findings are graded BAD (Weight=1000).

What will I see in the Portal?

Issue: Connections security downgrade.

Details: A downgrade of the connection was detected on the redirect chain.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.