Plain HTTP is used

Severity	Exploitability	Providers	Categories
HIGH	HIGH	AWS, Azure	NETWORK

Description

Plain HTTP should not be used, it is unencrypted. HTTPS should be used instead.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	True	False

Data is transmitted unencrypted, an eavesdropper has access to every request and response. An intruder can gain access to more systems by listening to unencrypted authentication requests. It also facilitates man-in-the-middle attacks.

Remediation guidelines

Identify and apply the policy for the concerned resource which enforces HTTPS only

References

• Why is HTTP not secure? | HTTP vs. HTTPS
• AWS Load Balancer, see protocol
• AWS CloudSearch domain, see enforce_https
• Enforce HTTPS with Azure App Service