Data encrypted in transit (TLS 1.2+)

CMMC 2.0 SC.L1-3.13.8 (NIST 800-171r2 3.13.8) requires that FCI be encrypted during transmission. Any HTTP connection — even for a redirect — transmits cookies, session tokens, and form data in cleartext readable by network observers on shared Wi-Fi, corporate proxies, or compromised routers. The absence of HSTS means browsers will accept HTTP connections rather than insisting on HTTPS, allowing SSL stripping attacks. CWE-319 (Cleartext Transmission of Sensitive Information) and OWASP A02 (Cryptographic Failures) both apply. CMMC assessors treat missing HSTS as a direct compliance gap for SC.L1-3.13.8.

Configure HSTS with a two-year max-age and includeSubDomains in next.config.ts. The header must be served on every response — not just the login page:

// next.config.ts
const nextConfig = {
  async headers() {
    return [{
      source: '/:path*',
      headers: [{
        key: 'Strict-Transport-Security',
        value: 'max-age=63072000; includeSubDomains; preload',
      }],
    }]
  },
}
export default nextConfig

Replace all hardcoded http:// URLs in production code with https:// equivalents or environment variables:

// Use an env var — guarantees correct protocol per environment
const API_URL = process.env.NEXT_PUBLIC_API_URL ?? 'https://api.example.com'

On non-Vercel hosts, add a server-level redirect from port 80 to 443 and configure ssl_protocols TLSv1.2 TLSv1.3 in your nginx or Apache config. Vercel enforces HTTPS automatically; the HSTS header is still required for browser-level enforcement.

• ID: gov-cmmc-level-1.system-comms.data-in-transit

• Severity: high

• CMMC Practice: Derived from SC.L1-3.13.1 and SC.L1-3.13.8

• What to look for: Look for HTTPS enforcement across the application. Check for HSTS (Strict-Transport-Security) header configuration in next.config.js, middleware, or hosting config. Search for any hardcoded http:// URLs in production code paths (excluding localhost and development-specific code). Check for mixed content — loading scripts, images, or API calls over HTTP from an HTTPS page. Review hosting configuration for TLS settings. Check for redirect-to-HTTPS configuration at the hosting level.

• Pass criteria: Count all hardcoded URL references in the codebase and check each for HTTPS. HSTS header is configured with max-age of at least 31536000. No more than 0 hardcoded http:// URLs in non-localhost production code. Extract and quote the HSTS header configuration to verify max-age value. Report: "X URL references found, Y use HTTPS; HSTS max-age is Z seconds."

• Fail criteria: No HSTS header. Hardcoded http:// URLs in non-localhost production code. Mixed content — HTTPS page loading HTTP resources. TLS enforcement not configured.

• Skip (N/A) when: Never — encryption in transit is a non-negotiable CMMC requirement.

• Detail on fail: Identify the specific gap. Example: "No HSTS header in next.config.ts or middleware.ts. API calls in lib/api.ts use hardcoded http:// endpoints. No TLS enforcement configured at the hosting level." Keep under 500 characters.

• Remediation: Configure HSTS and enforce HTTPS throughout:

  // next.config.ts
  const nextConfig = {
    async headers() {
      return [
        {
          source: '/:path*',
          headers: [
            {
              key: 'Strict-Transport-Security',
              value: 'max-age=63072000; includeSubDomains; preload'
            }
          ]
        }
      ]
    }
  }
  export default nextConfig
  

  Replace any hardcoded HTTP URLs with HTTPS or environment variables:

  // Use environment variables — ensures correct protocol per environment
  const API_URL = process.env.NEXT_PUBLIC_API_URL ?? 'https://api.example.com'
  // Ensure NEXT_PUBLIC_API_URL always uses https:// in production
  

  On non-Vercel hosts, configure your web server to enforce HTTPS:

  # nginx.conf
  server {
    listen 80;
    return 301 https://$host$request_uri;
  }
  
  server {
    listen 443 ssl;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
  }