User signup endpoint without HTTPS

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This API endpoint allows the registration of new users into an application over a non-encrypted channel.

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access. Services must only provide HTTPS endpoints.

Rationale

This finding works by identifying an API that:

  • Is tracking a user signup business logic event (tag user.signup).
  • Uses an HTTP connection, sending data in the clear over the wire.

Remediation

  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References

ReferenceDescription
OWASP - Transport Layer Security Cheat SheetTransport Layer Security Cheat Sheet: guidance implementing transport layer protection for applications using Transport Layer Security (TLS).