Cyber Security Insurance finding "HTTP Service without SSL/TLS found"

Can someone help me with a Cyber Security finding I need to address…
My company uses https://www.coalitioninc.com/ to find issues related to website security.
There is one medium security finding currently that I need help with, it is " HTTP Service without SSL/TLS found" and it lists the ip url.
This security finding also says it impacts 35 related subdomains and lists them.

Can someone help me with how I should go about trying to fix this?

1 Like

Hello,

Sorry to hear you are having some trouble with this. Are the endpoints it is calling out able to be accessed via http? Do you have “always use https” enabled in your Cloudflare zone? What are the items this test is looking at to quantify a fail or pass?

Look forward to hearing from you!

Can I also add myself to this entry as I am having the same issue with the same vendor.
My client has Always Use HTTPS AND HTTPS Redirect but when you telnet 8080, it shows open on the cloudflare IP although it’s not suppose to be open, and it’s not open for our internal firewall.
Are we suppose to enable another setting to fully close 8080 or any http ports?
We did not enable HSTS and wasnt sure if that was the answer.

If you telnet to port 8080, it will connect as Cloudflare’s proxy listens on that port for HTTP.

Any settings you have in your account will take affect after the headers have been passed and your site has been identified by the host header.

Hi
Thank you for the response. I did find that same article and just wanted to clear up my confusion.
In order to close 8080, I have to get a paid Cloudflare plan and setup a WAF?
That’ll be an easy response to give back to my client.

You can’t close the edge port. The IP address is not exclusive to you.

You can use the WAF to reject requests via those port (on paid plans), but just scanning the IP address that your domain resolves to will always show the port as open.

Thank you! I will let the customer know.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.