Browse HTTP from HTTPS is a vulnerability allowing HTTPS pages to be
accessed via HTTP, thus disclosing potentially sensitive information. We
strongly suggest editing web.config files to enforce redirecting HTTP requests
to HTTPS.
- Edit the web.config file for the Portal and/or the WebClient.
- For the Portal, edit the WebConfig file in C:\Program Files (x86)\Cherwell
Browser Applications\Portal
- For the Web Client, edit the WebConfig file in C:\Program Files (x86)\Cherwell
Browser Applications\BrowserClient
- Under the AppSetting section, uncomment the following Key:
·add key="RedirectHttpToHttps" value="True" />
- Reset IIS.
- Review the configuration of any applications you have installed to
ensure proper permissions are in place to prohibit forceful browsing of HTTPS
resources.