We host two of our servers on our i, with lots of NetData scripts, calling CL and RPGLE programs. For nearly 20 years everything has been fine (SSL and non-SSL). We have one server running non-SSL, another running SSL (SERVERA, SERVERSSL).
Over the past few weeks when we do a scan via SecureTrust, we've started getting this fail from them: HTTPS request can be accessed over HTTP.
Any idea on where to start looking to resolve this?
Following is some text that they provide on the fail error, if it helps...
Description The Application server does not distinguish between requests sent over insecure channel (http) and requests originally sent over https and gives a similar response. This type of vulnerability constitutes an access control weakness that can compromise the confidentiality of your data. Also, the availability of particular pages outside of a secured context can cause legitimate users to believe that the session is secure, and therefore submit private information in clear text. For example, if credit card details are entered in a session which is accessed over https and if this session is accessible through http, then these details can be used by the attacker resulting in loss of confidentiality.
Solution Examine your Web Server's configuration to determine why pages that should only be viewable via HTTPS are being served over HTTP. Also, examine the configuration of any applications you have installed to ensure that the proper permissions are in place to prohibit forceful browsing of HTTPS resources over HTTP.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.