highWeb Security

Missing HTTPS Redirect Exposes Traffic to Interception

What Is This Vulnerability?

When your application does not redirect HTTP requests to HTTPS, users who type your domain without the https:// prefix or follow plain HTTP links send their initial request in cleartext. This exposes cookies, session tokens, and form data to anyone who can observe the network traffic, including attackers on public Wi-Fi networks.

Why It Happens

Many hosting platforms handle HTTPS termination at the load balancer but do not automatically redirect HTTP traffic. Developers assume the CDN or reverse proxy handles it, but without explicit redirect rules, the HTTP endpoint remains active and serves content over an unencrypted connection.

Example Code

Vulnerableserver.ts
import express from "express";

const app = express();

// No HTTPS redirect, serves content over HTTP
app.get("/", (req, res) => {
  res.send("Welcome to the app");
});

app.listen(80, () => {
  console.log("Server running on port 80");
});
Fixedserver.ts
import express from "express";

const app = express();

app.use((req, res, next) => {
  if (
    req.headers["x-forwarded-proto"] !== "https" &&
    process.env.NODE_ENV === "production"
  ) {
    return res.redirect(301, `https://${req.hostname}${req.url}`);
  }
  next();
});

app.get("/", (req, res) => {
  res.send("Welcome to the app");
});

app.listen(80, () => {
  console.log("Server running on port 80");
});

How Hackers Exploit It

An attacker on the same network (coffee shop Wi-Fi, hotel network, compromised router) performs a man-in-the-middle attack on HTTP connections. They intercept the cleartext request, steal session cookies, inject malicious scripts into the response, or redirect the user to a phishing page. This attack is known as SSL stripping.

How to Fix It

Configure your server or reverse proxy to redirect all HTTP requests to HTTPS with a 301 status code. Enable HSTS (Strict-Transport-Security) with a long max-age to instruct browsers to always use HTTPS for your domain. Submit your domain to the HSTS preload list for protection on the very first visit.

Frequently Asked Questions

Is HTTPS enough, or do I also need the redirect?
HTTPS alone only protects connections that are initiated as HTTPS. Without a redirect, users who visit http://yoursite.com still send their first request in cleartext. The redirect ensures every user is upgraded to a secure connection immediately.
What is HSTS and why do I need it?
HTTP Strict Transport Security (HSTS) is a header that tells browsers to always use HTTPS for your domain. After the first HTTPS visit, the browser will automatically upgrade any HTTP requests to HTTPS, preventing SSL stripping attacks on subsequent visits.
How do I handle HTTPS in a containerized deployment?
Typically, TLS termination happens at the load balancer or ingress controller, not the application container. Check the x-forwarded-proto header to detect the original protocol and redirect if it was HTTP. Configure your ingress to also perform the redirect at the edge for better performance.

Related Security Topics

Missing Subresource Integrity on CDN Scripts Enables Supply Chain Attacks

Learn about missing subresource integrity on cdn scripts enables supply chain attacks and how to fix it.

Open Redirect Vulnerability Enables Phishing and Token Theft

Learn about open redirect vulnerability enables phishing and token theft and how to fix it.

Missing Content Security Policy Header Enables Script Injection

Learn about missing content security policy header enables script injection and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by missing https redirect exposes traffic to interception.