HTTPS is enforced

Why it matters

Without HTTPS enforcement, every byte transmitted between your server and the user travels in plaintext — session tokens, form fields, and API responses are readable by anyone on the same network. Man-in-the-middle attackers on public Wi-Fi can silently rewrite page content, inject scripts, or steal credentials before the user even knows they're on your site. PCI-DSS 4.0 Req 4.2.1 and NIST SP 800-53 SC-8 both mandate encrypted transport; a lapse here puts cardholder data directly in scope for a breach. OWASP A02 (Cryptographic Failures) flags unencrypted transport as the most straightforward path to data exposure.

Remediation

Add an explicit HSTS header via your framework config so browsers and intermediaries refuse to downgrade connections. Most modern hosts (Vercel, Netlify, Cloudflare Pages) enforce HTTPS automatically, but the header is still required for browser-side enforcement.

// next.config.js
async headers() {
  return [{
    source: '/(.*)',
    headers: [{
      key: 'Strict-Transport-Security',
      value: 'max-age=31536000; includeSubDomains'
    }]
  }]
}

For Express or Fastify, helmet() sets HSTS and a sensible default for every other security header in one call.

Detection

ID: security-headers.transport.https-enforced
Severity: critical
What to look for: Enumerate all HTTPS enforcement mechanisms present in the project: HSTS headers in config, HTTP-to-HTTPS redirect rules, hosting platform automatic HTTPS (Vercel, Netlify, Cloudflare all enforce HTTPS by default). Check framework config and deployment config for redirect rules.
Pass criteria: HTTPS is enforced through at least 1 of: HSTS header configuration, explicit HTTP-to-HTTPS redirect, or deployment on a platform that enforces HTTPS automatically (Vercel, Netlify, Cloudflare Pages, etc.).
Fail criteria: No HTTPS enforcement found — no HSTS, no redirects, and deployment target does not automatically enforce HTTPS.
Skip (N/A) when: Never — every web project should enforce HTTPS.
Detail on fail: "No HSTS header configured, no HTTP-to-HTTPS redirect found, and hosting platform does not appear to auto-enforce HTTPS" or "HTTP-to-HTTPS redirect not configured and hosting platform does not enforce HTTPS by default"
Remediation: HTTPS prevents eavesdropping and man-in-the-middle attacks. Most modern hosting platforms enforce it automatically. If yours doesn't, add an HSTS header:
```
// next.config.js
async headers() {
  return [{
    source: '/(.*)',
    headers: [{
      key: 'Strict-Transport-Security',
      value: 'max-age=31536000; includeSubDomains'
    }]
  }]
}
```
For Express/Fastify, use the helmet middleware which sets HSTS and other security headers.

External references

cwe · CWE-319 — Cleartext Transmission of Sensitive Information

cwe · CWE-311 — Missing Encryption of Sensitive Data

owasp:2021 · A02 — Cryptographic Failures

pci-dss:4.0 · Req 4.2.1 — Strong cryptography for transmission over open public networks

nist:rev5 · SC-8 — Transmission Confidentiality and Integrity

Why it matters

Remediation

// next.config.js
async headers() {
  return [{
    source: '/(.*)',
    headers: [{
      key: 'Strict-Transport-Security',
      value: 'max-age=31536000; includeSubDomains'
    }]
  }]
}

For Express or Fastify, helmet() sets HSTS and a sensible default for every other security header in one call.

Detection

ID: security-headers.transport.https-enforced
Severity: critical
What to look for: Enumerate all HTTPS enforcement mechanisms present in the project: HSTS headers in config, HTTP-to-HTTPS redirect rules, hosting platform automatic HTTPS (Vercel, Netlify, Cloudflare all enforce HTTPS by default). Check framework config and deployment config for redirect rules.
Pass criteria: HTTPS is enforced through at least 1 of: HSTS header configuration, explicit HTTP-to-HTTPS redirect, or deployment on a platform that enforces HTTPS automatically (Vercel, Netlify, Cloudflare Pages, etc.).
Fail criteria: No HTTPS enforcement found — no HSTS, no redirects, and deployment target does not automatically enforce HTTPS.
Skip (N/A) when: Never — every web project should enforce HTTPS.
Detail on fail: "No HSTS header configured, no HTTP-to-HTTPS redirect found, and hosting platform does not appear to auto-enforce HTTPS" or "HTTP-to-HTTPS redirect not configured and hosting platform does not enforce HTTPS by default"
Remediation: HTTPS prevents eavesdropping and man-in-the-middle attacks. Most modern hosting platforms enforce it automatically. If yours doesn't, add an HSTS header:
```
// next.config.js
async headers() {
  return [{
    source: '/(.*)',
    headers: [{
      key: 'Strict-Transport-Security',
      value: 'max-age=31536000; includeSubDomains'
    }]
  }]
}
```
For Express/Fastify, use the helmet middleware which sets HSTS and other security headers.

External references

cwe · CWE-319 — Cleartext Transmission of Sensitive Information

cwe · CWE-311 — Missing Encryption of Sensitive Data

owasp:2021 · A02 — Cryptographic Failures

pci-dss:4.0 · Req 4.2.1 — Strong cryptography for transmission over open public networks

nist:rev5 · SC-8 — Transmission Confidentiality and Integrity

HTTPS is enforced

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

HTTPS is enforced

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History