Vulnerabilities

HTTPS Content Available via HTTP

The vulnerability 'HTTPS Content Available via HTTP' means that while your web application is using HTTPS to encrypt communication, it still allows users to access some resources via HTTP, which is not secure. This can be exploited by attackers to intercept sensitive data or carry out a man-in-the-middle attack.

The vulnerability 'HTTPS Content Available via HTTP' means that while your web application is using HTTPS to encrypt communication, it still allows users to access some resources via HTTP, which is not secure. This can be exploited by attackers to intercept sensitive data or carry out a man-in-the-middle attack. In this guide, we will provide a step-by-step manual on how to fix this vulnerability.

Step 1: Enable HTTPS on all pages of your web application

The first step is to ensure that your web application is entirely encrypted with HTTPS. To achieve this, you need to install an SSL certificate and configure your web server to redirect all HTTP requests to HTTPS. Here is an example of how to do this on Apache:

  1. Install an SSL certificate on your server. You can get a free SSL certificate from Let's Encrypt, or purchase one from a trusted certificate authority (CA).
  2. Modify your Apache virtual host configuration file to include the following lines:

<VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost> <VirtualHost *:443> ServerName example.com SSLEngine On SSLCertificateFile /path/to/cert.pem SSLCertificateKeyFile /path/to/key.pem SSLCertificateChainFile /path/to/chain.pem # ... other configurations ... </VirtualHost>

  1. Restart Apache to apply the changes.
    By doing this, all HTTP requests will be automatically redirected to HTTPS, ensuring that all pages of your web application are encrypted.

Step 2: Fix Mixed Content errors

Mixed Content errors occur when some resources (such as images, scripts, or stylesheets) are loaded via HTTP while the rest of the page is encrypted with HTTPS. This can occur if the resources are hard-coded to use HTTP or if they are loaded from third-party sources that don't support HTTPS.

To fix Mixed Content errors, you need to ensure that all resources are loaded via HTTPS. Here are some steps to follow:

  1. Use relative URLs or protocol-relative URLs when referencing resources. For example, instead of using <img src="http://example.com/image.jpg">, use <img src="//example.com/image.jpg">. This will ensure that the resource is loaded via the same protocol as the page.
  2. If you must use absolute URLs, ensure that they use HTTPS. For example, use <img src="https://example.com/image.jpg"> instead of <img src="http://example.com/image.jpg">.
  3. Use a Content Security Policy (CSP) to restrict which resources can be loaded on your web application. CSP is a mechanism that allows you to specify which types of resources are allowed to be loaded on a page. For example, you can use the following CSP header to restrict all resources to HTTPS:

Content-Security-Policy: default-src https: 'unsafe-inline' 'unsafe-eval';By implementing these steps, you can eliminate all Mixed Content errors and ensure that all resources are loaded securely via HTTPS.

Step 3: Implement HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security policy that forces all communication between the client and the server to be encrypted with HTTPS. It achieves this by instructing the client's browser to only use HTTPS when communicating with the server, even if the user types in an HTTP URL or clicks on an HTTP link.

To implement HSTS, you need to add the following header to your web application's response:

Strict-Transport-Security: max-age=31536000; includeSubDomains

This header tells the client's browser to only use HTTPS for the next 31536000 seconds (one year) and to include subdomains as well. Here's an example of how to implement HSTS on Apache:

  1. Open your Apache virtual host configuration file and add the following lines:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

  1. Restart Apache to apply the changes.

By implementing HSTS, you can ensure that all communication between the client and the server is encrypted with HTTPS, providing an additional layer of security.

Step 4: Test your web application

After implementing the above steps, it's essential to test your web application to ensure that the vulnerability 'HTTPS Content Available via HTTP' has been fixed. Here are some tools you can use to test your web application:

  1. SSL Server Test by Qualys SSL Labs: This tool will scan your web application and provide a report on the SSL configuration, including whether HTTP is being redirected to HTTPS, whether HSTS is enabled, and whether there are any Mixed Content errors.
  2. HTTP/HTTPS Header Check: This tool will check the HTTP headers of your web application to ensure that HSTS and other security headers are implemented correctly.
  3. Browser Developer Tools: You can use the developer tools built into your browser to check for Mixed Content errors. In Chrome, for example, you can open the developer tools, go to the Security tab, and look for any Mixed Content errors.
    By testing your web application, you can ensure that it's secure and free from the 'HTTPS Content Available via HTTP' vulnerability.

Conclusion

The 'HTTPS Content Available via HTTP' vulnerability can be a severe threat to your web application's security. However, by following the steps outlined in this guide, you can fix this vulnerability and ensure that your web application is secure. It's essential to stay up to date with the latest security best practices and to test your web application regularly to ensure that it's secure.

Hackers target weaknesses. We expose them.

Our expert VAPT identifies vulnerabilities in your web apps & network before attackers exploit them. Invest in peace of mind.

 Order Now

Latest Articles

View All Articles

Top 10 Security Best Practices For Sitecore Experience Manager (XM)

As a small business owner, you know that building trust with your customers is crucial for success. One of the key ways to earn and maintain that trust is by ensuring the security of your website and the data it holds. This is especially true if you use a content management system (CMS) like Sitecore Experience Manager (XM). This guide provides a detailed step-by-step manual on implementing the top ten security best practices for XM.

Mitigations
 min read

Top 10 Security Best Practices For Shopify

As a small business owner using Shopify, securing your online store is critical for maintaining customer trust and ensuring the integrity of your business operations. By implementing robust cybersecurity measures, you not only protect your business but also reassure your customers that their personal and financial information is safe with you. This guide provides a detailed step-by-step manual on implementing the top ten security best practices for Shopify.

Mitigations
 min read

Top 10 Security Best Practices For Joomla!

Ensuring the security of your website is paramount, especially for small business owners looking to earn the trust of potential customers. Security breaches can lead to financial loss, damage to your reputation, and loss of customer trust. This manual will guide you through the top ten security best practices for Joomla!, a popular content management system (CMS).

Mitigations
 min read