Description

This API endpoint was found processing payments over a non encrypted channel.

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access. Services must only provide HTTPS endpoints.

Rationale

This finding works by identifying an API that:

• Is tracking a payment business logic event (tags containing the payment. prefix).
• Uses an HTTP connection, sending data in the clear over the wire.

Remediation

• Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References