May be related to: HTTP String Transport Security[1]. Can be done in
Apache config, For example:

Header always set Strict-Transport-Security
"max-age=7776000;includeSubDomains"

[1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security



"MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> wrote on 10/02/2021
09:45:05 AM:

From: "Tom Hightower" <tomh@xxxxxxxxxxx>
To: "MIDRANGE-L (midrange-l@xxxxxxxxxxxxxxxxxx)" <midrange-
l@xxxxxxxxxxxxxxxxxx>
Date: 10/02/2021 09:45 AM
Subject: [EXTERNAL] How do I fix this: HTTPS request can be accessedover
HTTP
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>

We host two of our servers on our i, with lots of NetData scripts,
calling CL and RPGLE programs. For nearly 20 years everything has
been fine (SSL and non-SSL). We have one server running non-SSL,
another running SSL (SERVERA, SERVERSSL).

Over the past few weeks when we do a scan via SecureTrust, we've
started getting this fail from them: HTTPS request can be accessed over
HTTP.

Any idea on where to start looking to resolve this?

Following is some text that they provide on the fail error, if it
helps...
Description The Application server does not distinguish between
requests sent over insecure channel (http) and requests originally
sent over https and gives a similar response. This type of
vulnerability constitutes an access control weakness that can
compromise the confidentiality of your data. Also, the availability
of particular pages outside of a secured context can cause
legitimate users to believe that the session is secure, and
therefore submit private information in clear text. For example, if
credit card details are entered in a session which is accessed over
https and if this session is accessible through http, then these
details can be used by the attacker resulting in loss of
confidentiality.

CVE: CVE-NO-MATCH

Solution Examine your Web Server's configuration to determine why
pages that should only be viewable via HTTPS are being served over
HTTP. Also, examine the configuration of any applications you have
installed to ensure that the proper permissions are in place to
prohibit forceful browsing of HTTPS resources over HTTP.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: INVALID URI REMOVED

u=https-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=DwICAg&c=jf_iaSHvJObTbx-
siA1ZOg&r=1i-jGlz0-JTK1aLHcsU-ew&m=ZbGm-ro6Vqy3V4XXc2SpbcFYcwaWOd-
TTHpc8eDDWdA&s=n-EuNyWTfQSHZU6068ppaUuTyKwfsmLknMdQ12dvBgc&e=
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at INVALID URI REMOVED
u=https-3A__archive.midrange.com_midrange-2Dl&d=DwICAg&c=jf_iaSHvJObTbx-
siA1ZOg&r=1i-jGlz0-JTK1aLHcsU-ew&m=ZbGm-ro6Vqy3V4XXc2SpbcFYcwaWOd-
TTHpc8eDDWdA&s=cmZJECWjCPLKsdWaI_G3aZlzu3gmTiaD8m4skmVtS2A&e= .

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link:
INVALID URI REMOVED
u=https-3A__amazon.midrange.com&d=DwICAg&c=jf_iaSHvJObTbx-
siA1ZOg&r=1i-jGlz0-JTK1aLHcsU-ew&m=ZbGm-ro6Vqy3V4XXc2SpbcFYcwaWOd-
TTHpc8eDDWdA&s=D-hzWbBOJZB6nGYNrm2xi5Lj0yUcVx9nfXTByF58d6I&e=



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.