In this article:
Severity: Medium (in Scoring 2.0)
Low (in Scoring 3.0)
Factor: Application Security
Why this matters
This measurement is meant to surface issues whereby a site redirects to a domain in a way that limits the security provided by HTTPS and HSTS headers. This leaves your organization vulnerable to being redirected to a spoofed or malicious version of the site.
The site sends a redirect response to the browser, redirecting it from HTTP to an HTTPS site at a different domain or subdomain. This prevents the browser from receiving an HSTS header for the original domain, as browsers ignore HSTS headers sent over plain HTTP, and the header for the new secure domain doesn't apply to the original domain. A correctly set HSTS header will prevent an attacker from intercepting and maliciously modifying the redirection to the new domain in the future.
Example request chain:
REQUEST CHAIN |
---|
http://mail.example.com/ |
302 |
https://mail.google.com |
301 |
https://mail.google.com/mail/ |
302 |
https://accounts.google.com/ServiceLogin?service=mail&passive=true&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=ecobx&nui=5&btmpl=mobile&emr=1&osid=1 |
In the preceding request chain, the redirect occurs with a 302 (Temporary Redirect) to HTTPS but increases the risk of a Man-in-the-Middle (MITM) attack because a 301 (Permanent Redirect) is not used.
Additional examples:
When a 301 response code is returned by a GET request to the root page of a web server, check the location response header against the following decision table.
Scenario
|
Initial URL
|
1st intermediary redirect
|
2nd intermediary redirect |
redirect to Final URL
|
Valid?
|
---|---|---|---|---|---|
1 | http://example.com | none | none | 301 or 302 to https://example.com | Yes, this is as simple as you can get. |
2 | http://example.com | none | none | 301 or 302 to https://www.example.com | Yes, if HSTS is in place. No, if HSTS is not present in the final URL |
3 | http://example.com | none | none | 301 or 302 to https://example.net |
Yes, if HSTS is in place. IncludeSubDomains recommended. No, if HSTS is not present in the final URL |
4 | http://www.example.com | 301 or 302 to http://www.example2.com | none | 301 or 302 to https://example.com | Yes, if HSTS is in place. IncludeSubDomains recommended. No, if HSTS is not present in the final URL |
5 | http://www.example.com | 301 or 302 to http://www.example2.com | 301 or 302 to http://www.example3.com | 301 or 302 to https://example.com | No, there are too many insecure redirects in this scenario even if there is HSTS at the final URL. |
How you can remediate this issue
Any HTTP site should redirect the browser to a secure (HTTPS) version of the same domain that was originally requested (or a higher-level version of that same domain). For example, http://www.example.com should only redirect either to https://www.example.com or https://example.com. This redirect should precede redirection to any other domain or subdomain.
Alternatively, add HSTS to the Final URL.
How you can resolve it in SecurityScorecard
When submitting a resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving the findings:
I have fixed this
Redirect to the final URL that is the same domain as the initial URL, preferably with HSTS in place. Validate with any redirect checker or at the command line with cURL. Example:
curl -Il http://example.com>
I have a compensating control
If a final URL is a different domain than the initial URL, a 301 redirect must be employed and the final URL should have HSTS in place with the includeSubDomains directive.
Additionally, we recommend implementing HTTP strict transport security (HSTS) on the target domain, and we will accept that as a compensating control for the submitted IP or domain. Afterward the findings will no longer appear for that asset.
Note: The finding will still show up for new assets not yet submitted with a compensating control.
This is not my IP or domain
If the asset (IP or domain) is not owned by your organization, please submit evidence.
I cannot reproduce this issue and I think it’s incorrect
Choose this option if you feel that SecurityScorecard is reporting this issue incorrectly and you have not made an attempt yet to correct the issue in your environment. Validate with any redirect checker or at the command line with cURL (example: "curl -Il http://example.com) before submitting.