Missing Encryption of Sensitive Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-311: Missing Encryption of Sensitive Data |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The application is configured with ‘config.force_ssl = false’, which allows users to access it over unencrypted HTTP instead of HTTPS. This means sensitive data can be transmitted without encryption, making it vulnerable to interception.
Impact#
Without enforcing HTTPS, attackers can intercept or modify data sent between users and the application, potentially exposing sensitive information like login credentials or session tokens. This can lead to data breaches, account compromise, and loss of user trust.