Transmitting credentials over unencrypted HTTP exposes every login, password-reset token, and OAuth callback to network interception — a passive attacker on the same Wi-Fi can harvest session tokens in seconds. NIST 800-53 rev5 SC-8 (Transmission Confidentiality) and SC-23 (Session Authenticity) require cryptographic protection for all in-transit data; FedRAMP rev5 makes this a hard requirement for cloud systems handling federal data. CWE-319 and OWASP A02 (Cryptographic Failures) both cite cleartext credential transmission as a direct path to account takeover. Without HSTS, even an HTTPS-capable server remains vulnerable to SSL stripping during the first unprotected request.
Critical because unencrypted authentication transport lets any passive network observer capture credentials and session tokens without any active exploit.
Configure HSTS in next.config.js and ensure all OAuth redirect URIs are registered with HTTPS-only hostnames. The minimum max-age for FedRAMP-aligned systems is 31536000 seconds.
// next.config.js
const nextConfig = {
async headers() {
return [
{
source: '/:path*',
headers: [
{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains; preload'
}
]
}
]
}
}
export default nextConfig
Set all OAuth provider callback URLs (Auth0, Clerk, Supabase Auth) to https:// explicitly. Configure your hosting layer (Vercel, AWS CloudFront) to respond with a 301 redirect for any http:// request — do not rely on the application layer alone.
ID: gov-fisma-fedramp.access-control.auth-https-tls
Severity: critical
What to look for: Enumerate all authentication endpoints and OAuth callback URLs in the codebase. Count every location where credentials are transmitted: login forms, registration forms, password reset flows, OAuth callback handlers, and token exchange endpoints. For each, verify the URL scheme is HTTPS. Check next.config.js or equivalent for HSTS header configuration. Search for any hardcoded http:// URLs in auth flows, mixed content warnings, or insecure redirect patterns.
Pass criteria: All authentication flows (login, password reset, OAuth callbacks, token exchange) use HTTPS URLs with at least TLS 1.2. No unencrypted HTTP login pages exist. Framework enforces HTTPS in production (or hosting provider guarantees it). HSTS header present with max-age of at least 31536000. Report even on pass: report the count of auth endpoints verified and the HSTS max-age value found.
Fail criteria: Any authentication page or endpoint is served over HTTP, or login redirects to non-HTTPS URL, or code suggests insecure authentication transport in production. Do not pass when HSTS is configured only in development but not in production config.
Skip (N/A) when: Never — authentication security is non-negotiable.
Detail on fail: Identify the specific auth flow issue. Example: "OAuth callback redirect in auth config points to http://localhost:3000/auth/callback — HTTPS not enforced in production" or "Login page served over HTTP in pages/login.tsx with no HTTPS redirect"
Cross-reference: For security header details beyond TLS, see the Security Headers audit which covers CSP, X-Frame-Options, and additional transport protections.
Remediation: All authentication MUST use HTTPS TLS 1.2 or higher. In Next.js, configure your hosting (Vercel, AWS, etc.) to enforce HTTPS and enable HSTS headers:
// next.config.js
const nextConfig = {
headers: async () => [
{
source: '/:path*',
headers: [
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' }
]
}
]
}
Ensure all authentication callback URLs in OAuth providers (Auth0, Clerk, etc.) use HTTPS. Redirect HTTP traffic to HTTPS at the server level.