In this article:
We require every site to use Hypertext Transfer Protocol Secure (HTTPS) to deliver web content, including static pages. We flag sites that do not use this protocol with the issue type Site does not enforce HTTPS.
Why static pages need HTTPS encryption
Static pages are susceptible to man-in-the-middle attacks, where an intermediary can secretly intercept, read, and modify browser requests or server responses on an unencrypted site.
The threat actor can inject forms, chat responses, or malicious scripts into the exchanges between a site and a user and leverage these methods for phishing, injecting malware, accessing remote file systems, and collecting cookie information.
HTTPS protects the user by encrypting all the traffic in their exchanges with the site, rendering it unreadable to intermediaries.
Resolution of the issue type Site does not enforce HTTPS involves implementation of HTTPS with a TLS certificate. We require a server-side HTTP 301 permanent redirect to the HTTPS endpoint.
Learn more
- Why HTTPS for Everything?
- Insecure HTTP Redirect Pattern
- See this video post by security consultant Troy Hunt for more information about why HTTPS is essential for protecting static sites.