High Severity
🟠 Missing HTTPS / Weak TLS Configuration
🧠 Description
Application doesn't enforce HTTPS, uses self-signed certificates, or supports weak TLS versions (SSLv3, TLS 1.0, TLS 1.1). This allows man-in-the-middle attacks.
Impact: Credential Theft, Session Hijacking, Data Interception
🔍 Detection
- Access via http:// (non-SSL)
- Check SSL certificate validity
- Test for TLS 1.0/1.1 support
- Check HSTS header
- Check weak cipher suites
🛡️ Mitigation
✅ Enable HTTPS everywhere
✅ Use TLS 1.2+ only (disable 1.0/1.1)
✅ Implement HSTS header
✅ Use strong cipher suites (AES-128+)
✅ Use valid certificates from trusted CA
✅ Use TLS 1.2+ only (disable 1.0/1.1)
✅ Implement HSTS header
✅ Use strong cipher suites (AES-128+)
✅ Use valid certificates from trusted CA