Add no redirect to HTTPS to resolve #2416

[tghosth]

This Pull Request relates to issue #2416

[elarlang]

I think the wording still needs some improvements, an attempt:

Verify that HTTPS-based endpoints do not respond to non-encrypted HTTP requests or respond with an error. It must not respond with a redirect to the HTTPS endpoint to avoid clients accidentally sending data over non-encrypted HTTP, but this is not being discovered due to an automatic redirect.

Probably it is level 2 requirement (not level 1)

[tghosth]

Your wording leads to a negative requirement. I agree with the level comment and I also clarified the second part of the req.

I would propose:

#	Description	L1	L2	L3	CWE
13.1.8	[ADDED] Verify that HTTPS-based endpoints will only respond to non-encrypted HTTP requests with an error or will not respond at all. Responding with an automatic redirect to the HTTPS endpoint may lead to clients accidentally sending data over non-encrypted HTTP, but this is not being discovered.			✓

[elarlang]

But I would still say level 2. It's easy to implement.

[tghosth]

Fair comment @elarlang, I updated the PR so are you comfortable to approve now?

[jmanico]

I know this is merged but this text is a little awkward.

non-encrypted HTTP

This is redundant.

requests with an error

This alone can be problematic. The better call it to not respond at all:

So I suggest we just keep this simple, with text like.

Verify that HTTPS-based endpoints do not respond to HTTP requests.

This drops the negative requirement of not redirecting, drops the "error message" part, and simplifies the language.

[elarlang]

You can re-open related issue (#2416) with recommendations.