Route processes payments without HTTPS

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

This API endpoint was found processing payments over a non encrypted channel.

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access. Services must only provide HTTPS endpoints.

Rationale

This finding works by identifying an API that:

  • Is tracking a payment business logic event (tags containing the payment. prefix).
  • Uses an HTTP connection, sending data in the clear over the wire.

Remediation

  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References

ReferenceDescription
OWASP - Transport Layer Security Cheat SheetTransport Layer Security Cheat Sheet: guidance implementing transport layer protection for applications using Transport Layer Security (TLS).