Vulnerability: Backend API Access via HTTP (Not HTTPS)

  1. Home

What’s Vulnerability?

Some API endpoints are accessing backend web services over the HTTP protocol instead of HTTPS. That means data is being transmitted unencrypted — basically, in plain text.
So, what’s the risk?
Any data exchanged between the client and server — like tokens, credentials, PII, session IDs, etc. — can potentially be intercepted or altered by an attacker during transit.

This makes the API vulnerable to:

  • Man-in-the-Middle (MitM) attacks
  • Session hijacking
  • Data tampering
  • Sensitive info disclosure
Backend API Access via HTTP (Not HTTPS) -img

Impact of the Vulnerability

When HTTP is used instead of HTTPS, you're putting users and the entire app at risk.
Here's what can go wrong:


  • MitM Attacks: Attackers on the same network (like public Wi-Fi) can sniff traffic, steal sessions, or modify requests.
  • No Data Confidentiality: All transmitted info is visible in plain text — zero encryption.
  • Compliance Failures: Could violate security standards like OWASP Top 10, GDPR, HIPAA, etc.
  • Loss of Trust: If customers learn their data isn’t protected, it damages your brand reputation.

Solution to Fix the Vulnerability

  1. Switch to HTTPS for all backend API communications
    1. Ensure backend services are hosted on TLS-enabled endpoints.
    2. Replace any http:// URLs in your code/configs with https://

  2. Enforce HTTPS using HSTS (HTTP Strict Transport Security)
    1. Prevent clients from making insecure connections in the first place.
    2. Example header:
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  3. Validate TLS Certificates
    1. Make sure all backend servers have valid and trusted SSL/TLS certificates.
    2. Avoid self-signed certs unless you're pinning them securely.

  4. Update Hardcoded URLs
    1. Check for hardcoded http:// URLs in app configs, JS files, and API calls. Fix 'em all.

  5. Use Secure Load Balancers or Proxies
    1. If using a reverse proxy or load balancer, make sure it terminates TLS properly before forwarding to the backend.

Using HTTP for API traffic in 2025? That’s like sending postcards with your password written on them.
Always use HTTPS. Encrypt everything. If your backend APIs are still on HTTP, patch that ASAP — your users and your app’s security depend on it.