ASVS Requirement 4.1.2

• Level: 2
• Chapter: V4 API and Web Service
• Section: V4.1 Generic Web Service Security
• Source: 0x13-V4-API-and-Web-Service.md

Description

Verify that only user-facing endpoints (intended for manual web-browser access) automatically redirect from HTTP to HTTPS, while other services or endpoints do not implement transparent redirects. This is to avoid a situation where a client is erroneously sending unencrypted HTTP requests, but since the requests are being automatically redirected to HTTPS, the leakage of sensitive data goes undiscovered.