HIGH Encryption

Missing Tls in APIs

Scan your API for missing tls

What is Missing TLS?

Missing TLS refers to the absence of Transport Layer Security (TLS) encryption in API communications. TLS is the cryptographic protocol that secures data in transit between clients and servers, replacing the older SSL protocol. When an API endpoint is accessible over HTTP instead of HTTPS, all data transmitted—including authentication credentials, personal information, and business data—travels in plaintext.

Modern APIs should enforce HTTPS everywhere, using TLS 1.2 or higher (TLS 1.3 is recommended). Without TLS, attackers can intercept traffic using techniques like:

  • Man-in-the-middle (MITM) attacks on public networks
  • Packet sniffing on compromised network infrastructure
  • Domain hijacking or DNS spoofing
  • Traffic analysis and metadata collection

The vulnerability extends beyond just the API endpoint itself—any API that accepts HTTP requests or redirects HTTP to HTTPS without proper validation creates attack surfaces for credential interception and session hijacking.

How Missing TLS Affects APIs

The impact of missing TLS varies from severe data exposure to complete account takeover, depending on what functionality the API provides. Here are common attack scenarios:

  • Credential interception: Attackers capture API keys, passwords, and tokens sent over HTTP, enabling unauthorized access
  • Session hijacking: Authentication cookies and session tokens transmitted without encryption can be stolen and reused
  • Business logic abuse: Sensitive operations like payment processing or data exports become vulnerable to interception
  • Compliance violations: Missing TLS often violates PCI-DSS, HIPAA, GDPR, and other regulatory requirements
  • Reputation damage: Security breaches from unencrypted communications erode user trust

Consider a payment processing API that accepts HTTP requests. An attacker on the same network could intercept credit card data, API keys, and transaction details. Even APIs that redirect HTTP to HTTPS can be vulnerable during the redirect phase, where credentials might be exposed in the initial request.

How to Detect Missing TLS

Detecting missing TLS requires both manual verification and automated scanning. Here's what to check:

  • Test API endpoints with HTTP requests to see if they respond or redirect
  • Verify TLS certificate validity, expiration dates, and proper configuration
  • Check for mixed content where HTTPS pages load HTTP resources
  • Review API documentation and OpenAPI specs for HTTP endpoints
  • Test for HTTP methods that shouldn't be allowed (like HTTP POST to sensitive endpoints)

middleBrick automatically detects missing TLS as part of its 12 security checks. The scanner tests each API endpoint by attempting HTTP connections and analyzing TLS configurations. It identifies endpoints that:

  • Respond to HTTP requests without redirecting to HTTPS
  • Have expired, self-signed, or improperly configured TLS certificates
  • Support outdated TLS versions (1.0, 1.1) or weak cipher suites
  • Have mixed content issues in their responses

The scanner provides a severity rating and specific recommendations for each TLS-related finding, including certificate chain issues and recommended TLS version upgrades.

Prevention & Remediation

Missing TLS has caused numerous high-profile breaches. In 2017, the Equifax breach involved unencrypted data transmission in certain API endpoints, though the primary cause was unpatched software. More directly, CVE-2020-5398 affected Django REST framework where API endpoints could be accessed over HTTP, exposing authentication tokens.

The financial impact is substantial: IBM's Cost of a Data Breach Report shows that breaches involving unencrypted data cost an average of $1.4 million more than encrypted breaches. Industries like healthcare and finance face regulatory fines up to $1.5 million annually for HIPAA or PCI-DSS violations related to missing encryption.

Beyond direct financial losses, companies suffer reputational damage. When Uber experienced API credential exposure due to missing TLS in 2016, it led to a $148 million settlement and years of trust rebuilding. The common thread in these incidents: what could have been prevented with basic TLS implementation became multi-million dollar disasters.

Modern API security requires defense in depth. Even with proper TLS, APIs need authentication, rate limiting, and input validation. But without TLS as the foundation, all other security measures become ineffective against network-level attacks.

Scan for missing tls View all security checks

Frequently Asked Questions

Is HTTP redirect to HTTPS sufficient for API security?
No. While redirecting HTTP to HTTPS is better than nothing, the initial HTTP request can still expose credentials in network logs, browser history, and during the redirect phase. Always configure APIs to only accept HTTPS connections and reject HTTP requests entirely.
What TLS version should my API support?
Support TLS 1.2 and TLS 1.3 only. TLS 1.0 and 1.1 are deprecated and contain known vulnerabilities. TLS 1.3 provides better performance and security. Configure your servers to disable older protocols and weak cipher suites.
How does middleBrick check for missing TLS?
middleBrick tests each API endpoint by attempting HTTP connections and analyzing TLS configurations. It identifies endpoints that respond to HTTP requests, have expired or misconfigured certificates, support outdated TLS versions, or have mixed content issues. The scanner provides specific severity ratings and remediation guidance for each finding.