An API must ensure sensitive tokens, including both internal and user-specific tokens, are transmitted over secure channels using HTTPS to protect them from being intercepted during transit. HTTPS encrypts the data being transmitted between the client and the server, ensuring tokens are securely transmitted and cannot be easily accessed by attackers, even if they intercept the communication (e.g., through man-in-the-middle attacks). This encryption is essential for maintaining the confidentiality and integrity of sensitive information, preventing unauthorized access to the API or its services. Without HTTPS, tokens are vulnerable to exposure, potentially allowing malicious actors to hijack sessions, impersonate users, or gain unauthorized access to internal systems, compromising both security and privacy.
Check
API must verify sensitive tokens are transmitted over secure channels using HTTPS. This includes both internal and user-specific tokens.
If data being transmitted between the client and server is not using HTTPS, this is a finding.
Fix
Build or configure the API server to automatically redirect any HTTP request to HTTPS. This ensures all communication with the API is encrypted by default.