- An HTTP-based URL without TLS was detected, potentially exposing confidential information to man-in-the-middle attacks.
- If possible, change this to an HTTPS-based URL to enforce transport-layer encryption.
One important aspect of application security involves protecting data as it is transferred between clients and servers. In the case of a web-application, this means between your web-browser and a web-server. One of the most important mechanisms for protecting this data is enabling TLS (previously known as SSL). When configured correctly, it provides a high level of assurance that any party with access to network traffic will not be able to view or modify data as it passes.
Many web-servers already support TLS, as do many CDNs.
If the application is handling sensitive data, this finding should generally be rated as 'critical'.
If this finding was applied to text that doesn't actually imply a network connection (e.g. within an XML schema or as an opaque identifier), then this finding can be ignored.