SCP09 Communication Security
What this means
SiteShadow flagged transport security patterns that are weak or disabled (HTTP instead of HTTPS, TLS verification disabled, permissive TLS settings, insecure redirects).
Why it matters
Weak transport security allows interception or tampering.
- Credential theft via MITM when TLS isn't enforced/verified (see
T01/CWE-295). - Data tampering: attackers modify responses/requests in transit.
- Session hijacking if cookies travel over insecure channels.
Safer examples
1) Enforce HTTPS and strict TLS verification
Never disable certificate verification in production (see CWE-295 / T01).
2) Use HSTS to prevent downgrade to HTTP
Set Strict-Transport-Security with an appropriate max-age once HTTPS is stable.
3) Use safe clients with timeouts
Set timeouts and restrict TLS versions/ciphers where appropriate (see CWE-757).
How SiteShadow detects it (high level)
- Detects TLS/HTTP client usage and flags disabled verification, weak protocol settings, and insecure URL patterns.
- Detects endpoints served without expected transport protections.
References
- OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
---