Prevent Browsing HTTP from HTTPS
Browse HTTP from HTTPS is a vulnerability allowing HTTPS pages to be accessed via HTTP, thus disclosing potentially sensitive information. We strongly suggest enforcing the redirection of HTTP requests to HTTPS via a setting in Overwatch.
To redirect HTTP request to HTTPS:
- Use the Command-Line Configure utility to pass the following command to Overwatch. This enforces redirection in the CSM Portal.
/updateportalsettings /redirecthttptohttps=true
- Use the Command-Line Configure utility to pass the following command to Overwatch. This enforces redirection in the CSM Browser Client.
/updatebrowserclientsettings /redirecthttptohttps=true
- Reset IIS.
- Review the configuration of any applications you have installed to ensure proper permissions are in place to prohibit forceful browsing of HTTPS resources.