HTTPS-001 - Ensure the API Requires HTTPS for All Connections.

Title : HTTPS-001 - Ensure the API Requires HTTPS for All Connections.

Created By : arun-ramanan@netspective.in

Created At : 2024-12-15

Priority : High

Description

The API should enforce secure communication by requiring all client-server interactions to use HTTPS. This ensures that data exchanged between the client and server is encrypted, preventing interception or tampering by unauthorized parties. APIs that allow HTTP connections expose sensitive data, such as authentication credentials or personal information, to potential attackers.

Pre-Conditions:

  • The API server must be accessible over both HTTP and HTTPS.
  • Testing tools such as Postman or cURL should be configured to make HTTP and HTTPS requests.
  • Ensure no network-level redirection is applied.

Test Steps:

  1. Step 1: Send an HTTP GET request to the API endpoint.
  2. Step 2: Verify the server responds with a redirection (HTTP 301 or 308) to the HTTPS endpoint.
  3. Step 3: Send an HTTPS GET request to the same endpoint.
  4. Step 4: Verify the server responds with a 200 OK status code and the expected resource.
  5. Step 5: Check if the response includes the Strict-Transport-Security (HSTS) header.

Expected Result:

  • All HTTP requests are redirected to HTTPS with a 301 or 308 status code.
  • HTTPS requests successfully return the expected resource with a 200 OK status code.
  • The response includes a valid Strict-Transport-Security (HSTS) header.