0
Back to scan results
Check 10 of 24

HTTP Security Issues

Three classes of HTTP-layer mistakes that don't deserve their own check but each chip away at confidentiality and integrity: serving over plaintext, leaky cookies, and mixed content references in HTML.

What this check probes

  • HTTP → HTTPS redirect — fetches http://yourdomain/ and looks for a 301/308 to the HTTPS equivalent. Anything else means a passive eavesdropper sees the first request in cleartext.
  • Cookie scope flags — every Set-Cookie header is parsed for the Secure, HttpOnly, and SameSite attributes. Detail in Check 14.
  • Mixed content — parses the HTTPS homepage HTML for http:// references in <script src>, <link href>, <img src>, <iframe src>. Active mixed content (script, css, frame) is blocked by browsers and breaks the page; passive (img) is downgraded.
  • Open redirect — looks for query parameters that take a URL and bounce to it without validation. We test common parameter names (?url=, ?next=, ?redirect=, ?return=, ?dest=) with an external target and check whether the response 302s outbound.

Why this matters for PCI DSS

PCI DSS 4.0 Requirement 4.2.1 requires strong cryptography on any open network. A first-request HTTP response leaks the session cookie (if cookies aren't Secure) and lets a network attacker downgrade.

Open redirects don't directly steal cardholder data, but they're the standard primitive used in phishing campaigns to make a malicious URL look legitimate (it starts with your domain, then bounces to the attacker's). Phishing leading to credential theft hits Requirement 8.

How to fix it

HTTP → HTTPS redirect (nginx):

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Apache:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

IIS — install URL Rewrite, then in web.config:

<rewrite><rules>
  <rule name="HTTPS Redirect" stopProcessing="true">
    <match url=".*" />
    <conditions><add input="{HTTPS}" pattern="off" ignoreCase="true" /></conditions>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
  </rule>
</rules></rewrite>

Pair the redirect with HSTS (Check 3) so subsequent visits skip the HTTP request entirely.

Mixed content — fix by changing http:// to https:// (or to protocol-relative //). For third-party assets you don't control, find an HTTPS-capable replacement or self-host.

A one-line CSP can act as a safety net by upgrading insecure requests on the fly:

Content-Security-Policy: upgrade-insecure-requests

Open redirect — never trust the value. Either:

  • Validate that the destination starts with your own origin (https://example.com).
  • Use a numeric ID that maps to a server-side allow-list of redirect targets.
  • Show an interstitial page warning the user they're leaving your site.

Fixed it? Re-run the scan to confirm.

Run scan again