Route processes payments without HTTPS

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This API endpoint was found processing payments over a non encrypted channel.

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access. Services must only provide HTTPS endpoints.

Rationale

This finding works by identifying an API that:

  • Is tracking a payment business logic event (tags containing the payment. prefix).
  • Uses an HTTP connection, sending data in the clear over the wire.

Remediation

  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References

ReferenceDescription
OWASP - Transport Layer Security Cheat SheetTransport Layer Security Cheat Sheet: guidance implementing transport layer protection for applications using Transport Layer Security (TLS).