Findings
Insecure host (OAS2)
Updated: June 19, 2025
Description
Remediation
Security Frameworks
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
CIS-ASG-2.1.6: CIS 2.1.6: Implement Cryptographic Techniques to Secure User Credentials and Authentication Tokens
Specify protocols to secure user data transmission and storage with cryptographic protocols.
Rationale
Implementing cryptographic techniques to secure user credentials and authentication tokens helps mitigate risks and prevent unauthorized access. Encrypting passwords and tokens helps keep sensitive data secure and complies with regulations such as GDPR. This renders data unreadable to unauthorized parties, protecting user credentials and authentication tokens from potential breaches and ensuring compliance with data protection laws and industry standards.
Remediation
- Select password hashing methods.
- Chose encrypted token storage and secure method of generation.
- Use TLS/SSL.
- Enhance key management practices and policies.
- Apply monitoring practices.
- Document all changes made.
Audit
- Review existing relevant policies.
- Assess if existing procedures are compliant with regulations.
- Assess password hashing methods.
- Assess token storage and method of generation.
- Assess TLS/SSL versions.
- Assess key management practices and policies.
- Assess monitoring practices.
CIS-ASG-2.2.2: CIS 2.2.2: Enforce TLS/SSL protocols
Enforce TLS and SSL protocols.
Rationale
Enforcing TLS/SSL protocols ensures data transfer encryption, safeguarding against interception and eavesdropping by malicious actors. By preventing Man-in-the-Middle (MITM) attacks, TLS/SSL maintains data confidentiality and integrity during transmission. It also protects the authentication procedure from unauthorized access, meeting compliance requirements and ensuring secure communication channels between clients and servers.
Remediation
- Update the configuration settings.
- Renew all certificates.
- Implement HTTPS redirection from port 80 (HTTP) to port 443 (HTTPS) and implement HSTS to enforce HTTPS.
- Address any vulnerabilities introduced by old and current HTTPS versions.
- Enforce monitoring and alerting.
- Update the documentation.
Audit
- Review the current configuration settings.
- Review certificates to ensure they are current, properly configured, and secure, preventing potential vulnerabilities.
- Review HTTPS implementation and versions.
- Review any non-compliant connections.
- Review policies and compliance requirements.
CIS-ASG-3.1.3: CIS 3.1.3: Ensure the use of SSL/TLS
Verify the use of SSL/TLS for all API endpoints and versions.
Rationale
Ensuring the use of SSL/TLS is important because it keeps data transfer and communication encrypted, protecting sensitive information from being intercepted. It also mitigates Man-in-the-Middle (MiTM) vulnerabilities, enhancing security. Additionally, using SSL/TLS helps comply with regulations that mandate secure data transmission.
Remediation
- Enforce SSL/TLS encryption for all API communications.
- Regularly review configurations and certificates for expiration dates and assess if they are compromised.
- Update versions when necessary.
- Monitor configurations.
Audit
- Review SSL/TLS enforcement for all endpoints.
- Evaluate SSL/TLS versions.
- Review certification expiration dates and assess if they are compromised.