elarlang
commented
9 hours ago | Situation at the moment: | # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|---|
| 9.1.1 | [MODIFIED] Verify that TLS is used for all connectivity between a client and external facing, HTTP-based services, and does not fall back to insecure or unencrypted communications. | ✓ | ✓ | ✓ | 319 | |
| 9.2.2 | [MODIFIED] Verify that an encrypted protocol such as TLS is used for all inbound and outbound connections to and from the application, including monitoring systems, management tools, remote access and SSH, middleware, databases, mainframes, partner systems, or external APIs. The server must not fall back to insecure or unencrypted protocols. | ✓ | ✓ | 319 | ||
| 9.3.1 | [ADDED] Verify that TLS or another appropriate transport encryption mechanism used for all connectivity between internal, HTTP-based services within the application, and does not fall back to insecure or unencrypted communications. | ✓ | ✓ | 319 |
Section titles to better understand the context of the requirements above:
- V9.1 HTTPS Communication with External Facing Services
- V9.2 General Service to Service Communication Security
- V9.3 HTTPS Communication between Internal Services
I find it quite complicated to write a requirement "If you use http: for an API, then don't auto-redirect to https:" as we disallow use http: in any situation.
If we find it worth to be mentioned, I think it should be done in 9.2.2.
randomstuff
Your API Shouldn't Redirect HTTP to HTTPS
The argument is that when a client uses 'http://api.example.org', it should fail instead of silently be insecure.
I propose to add a requirement that specifies what behavior a site should have when the HTTP version is accessed, whether it should redirect or return an error.