All API traffic served over HTTPS/TLS

Why it matters

HTTP transmits credentials, tokens, and user data in plaintext — any network intermediary can read or modify traffic. CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-311 (Missing Encryption of Sensitive Data) cover the structural failure. OWASP API Security Top 10 2023 API8 (Security Misconfiguration) and OWASP A02 2021 (Cryptographic Failures) classify unencrypted API transport as a first-order misconfiguration. Even internal-facing APIs that carry authentication tokens should use TLS — internal networks are not trusted networks. PCI DSS Requirement 4.2.1 and SOC 2 CC6.7 both require encryption of data in transit. HSTS prevents browsers from falling back to HTTP after the first HTTPS connection.

Remediation

Enforce HTTPS at the infrastructure level first (load balancer / CDN), then add application-level redirect middleware as a defense-in-depth layer. Set HSTS with a minimum max-age of one year.

// src/middleware.ts (Next.js)
export function middleware(req: NextRequest) {
  // Redirect HTTP to HTTPS at app layer (CDN should handle this first)
  if (req.headers.get('x-forwarded-proto') === 'http') {
    return NextResponse.redirect(`https://${req.headers.get('host')}${req.nextUrl.pathname}`, 301)
  }

  const res = NextResponse.next()
  // HSTS — 1-year, include subdomains, preload
  res.headers.set(
    'Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload'
  )
  return res
}

Vercel and most PaaS platforms enforce HTTPS at the edge — verify that no internal service-to-service calls use http:// URLs.

Detection

ID: api-security.design-security.https-enforced
Severity: low
What to look for: Enumerate every relevant item. Check whether the API is configured to only accept HTTPS requests. Look for server configuration, middleware that redirects HTTP to HTTPS, or HSTS (HTTP Strict-Transport-Security) headers.
Pass criteria: The API only accepts HTTPS requests. HTTP requests are either rejected or redirected to HTTPS. The HSTS header is set with a reasonable max-age (at least 31536000 seconds / 1 year).
Fail criteria: The API accepts HTTP requests without redirecting to HTTPS, or HSTS is not configured.
Skip (N/A) when: The API is internal-only and not exposed over the network.
Detail on fail: "API accepts unencrypted HTTP requests — traffic is not protected" or "HSTS header not set — browsers may accept HTTP fallback"

Remediation: Enforce HTTPS and set HSTS:

// Express middleware to redirect HTTP to HTTPS
app.use((req, res, next) => {
  if (req.header('x-forwarded-proto') !== 'https') {
    res.redirect(`https://${req.header('host')}${req.url}`)
  } else {
    next()
  }
})

// Set HSTS header
app.use((req, res, next) => {
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
  next()
})

Why it matters

Remediation

Enforce HTTPS at the infrastructure level first (load balancer / CDN), then add application-level redirect middleware as a defense-in-depth layer. Set HSTS with a minimum max-age of one year.

// src/middleware.ts (Next.js)
export function middleware(req: NextRequest) {
  // Redirect HTTP to HTTPS at app layer (CDN should handle this first)
  if (req.headers.get('x-forwarded-proto') === 'http') {
    return NextResponse.redirect(`https://${req.headers.get('host')}${req.nextUrl.pathname}`, 301)
  }

  const res = NextResponse.next()
  // HSTS — 1-year, include subdomains, preload
  res.headers.set(
    'Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload'
  )
  return res
}

Vercel and most PaaS platforms enforce HTTPS at the edge — verify that no internal service-to-service calls use http:// URLs.

Detection

ID: api-security.design-security.https-enforced
Severity: low
What to look for: Enumerate every relevant item. Check whether the API is configured to only accept HTTPS requests. Look for server configuration, middleware that redirects HTTP to HTTPS, or HSTS (HTTP Strict-Transport-Security) headers.
Pass criteria: The API only accepts HTTPS requests. HTTP requests are either rejected or redirected to HTTPS. The HSTS header is set with a reasonable max-age (at least 31536000 seconds / 1 year).
Fail criteria: The API accepts HTTP requests without redirecting to HTTPS, or HSTS is not configured.
Skip (N/A) when: The API is internal-only and not exposed over the network.
Detail on fail: "API accepts unencrypted HTTP requests — traffic is not protected" or "HSTS header not set — browsers may accept HTTP fallback"

Remediation: Enforce HTTPS and set HSTS:

// Express middleware to redirect HTTP to HTTPS
app.use((req, res, next) => {
  if (req.header('x-forwarded-proto') !== 'https') {
    res.redirect(`https://${req.header('host')}${req.url}`)
  } else {
    next()
  }
})

// Set HSTS header
app.use((req, res, next) => {
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
  next()
})

All API traffic served over HTTPS/TLS

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

All API traffic served over HTTPS/TLS

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History