logo

Reliance on HTTP instead of HTTPS

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when an application uses unencrypted HTTP connections instead of the secure HTTPS alternative, even when HTTPS is available.

Extended Description

Using HTTP exposes all data transmitted between the client and server, including sensitive information like login credentials, session tokens, and personal data. Attackers can easily intercept, read, or modify this unencrypted traffic through man-in-the-middle attacks, leading to data breaches, account hijacking, and content manipulation. HTTPS solves this by encrypting communications with TLS/SSL, ensuring confidentiality and integrity. Since HTTPS is a universally supported and standard security practice, there is no technical justification for relying on plain HTTP for any part of a modern application that handles user data or requires trust.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Application DataModify Application Data

HTTP can be subjected to attacks against confidentiality (by reading cleartext packets); integrity (by modifying sessions); and authenticity (by compromising servers and/or clients using cache poisoning, phishing, or other attacks that enable attackers to spoof a legitimate entity in the communication channel).
Potential Mitigations 4
Phase: Architecture and Design
Explicitly require HTTPS or another mechanism that ensures that communication is encrypted [REF-1464].
Phase: Implementation
Avoid using "mixed content," i.e., serving a web page over HTTPS in which the page includes elements that use "http:" URLs [REF-1466] [REF-1467]. This is often done for images or other resources that do not seem to have privacy or security implications.
Phase: ImplementationOperation
Perform "HTTPS forcing," that is, redirecting HTTP requests to HTTPS.
Phase: Operation
If the product supports multiple protocols, ensure that encrypted protocols (such as HTTPS) are required, and remove any unencrypted protocols (such as HTTP).
References 9
What's the Difference Between HTTP and HTTPS?
Amazon
https://aws.amazon.com/compare/the-difference-between-https-and-http/(2025-03-29)
ID: REF-1461
Why is HTTP not secure? | HTTP vs. HTTPS
Cloudflare
https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/(2025-07-29)
ID: REF-1462
Every Pipe, Every Byte: The Case for Universal Encryption
Bob Lord
12-12-2024
https://medium.com/@boblord/every-pipe-every-byte-the-case-for-universal-encryption-b8e08939d2b9(2025-03-29)
ID: REF-1463
Encrypting the Web
Electronic Frontier Foundation
https://www.eff.org/encrypt-the-web/(2025-03-29)
ID: REF-1464
Application Security Verification Standard 4.0.3 - Final
OWASP
https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf(2025-03-29)
ID: REF-1465
Application Security Verification Standard 4.0.3 - Final
OWASP
https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf(2025-03-29)
ID: REF-1465
Application Security Verification Standard 4.0.3 - Final
OWASP
https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf(2025-03-29)
ID: REF-1465
Fixing mixed content
07-09-2019
https://web.dev/articles/fixing-mixed-content(2025-04-01)
ID: REF-1466
Mixed content
Mozilla
13-03-2025
https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content(2025-04-01)
ID: REF-1467
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Architecture and Design
Requirements
Implementation
Implementation
Operation
Related Weaknesses
ChildOf: Cleartext Transmission of Sensitive Information (CWE-319)