User preferences endpoint without HTTPS

Description

This API endpoint handles user profile settings over an unencrypted channel.

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access. Services must only provide HTTPS endpoints.

Remediation

  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References

ReferenceDescription
OWASP - Transport Layer Security Cheat SheetTransport Layer Security Cheat Sheet: guidance implementing transport layer protection for applications using Transport Layer Security (TLS).