Does not redirect to a HTTPS site from HTTP port

OWASP 2013-A10 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 OWASP PC-C1 CWE-818 WSTG-CLNT-04

This vulnerability is encountered when an application does not redirect to HTTPS of the same site. When this situation is encountered, it opens a whole new world for “Man in the middle” (MITM) attacks. It is necessary to implement HTTPS even if there is no sensitive data communication. HTTPS is required for viewing progressive web applications. HTTPS protects from attackers and legitimate intrusive companies (like ISP). Without HTTPS, an attacker can trick the end users into giving sensitive information to the attacker. He can even force the end users to install malware into the system. HTTPS stops attackers from passively listening to the communication.


The following URL is an example of HTTP. The below URL is prone to MITM attacks.

The following URL is an example of HTTPS.

The following code is an example of this vulnerability.

        RewriteEngine On
        RewriteCond %{SERVER_PORT} 150
        RewriteRule ^(.*)$$1 [R,L]



The following are the impacts of this vulnerability:-

  • Session hijacking attacks - An HTTP request that includes a session ID cookie is subject to session hijacking attacks. Session hijacking (or cookie hijacking) is exploitation of valid computer sessions. It is essential to allow HTTP redirect to HTTPS, that cookies are marked as secure.

  • Man-In-The-Middle (MITM) attack

Using this vulnerability, an attacker can:-

  • have access to all the unprotected information/data sent between the server and the clients.
  • passively listen to the communication to identify the end users. The identification includes name, location, interests and many more.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • The application should redirect to HTTPS
        RewriteEngine On
        RewriteCond %{SERVER_PORT} 80
        RewriteRule ^(.*)$$1 [R,L]

  • Make sure to clear the cache.

Related Articles