All Collections
Control Tests
Test: SSL/TLS Enforced on Company Website
Test: SSL/TLS Enforced on Company Website

Drata makes a request to your company website to see if it's reachable exclusively over HTTPS.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

ASSOCIATED DRATA CONTROL

This test is part of the SSL/TLS Enforced control that ensures all connections to your company web application from users are encrypted and using SSL/TLS. Drata will also check to make sure an 'http://' URL will redirect to an 'https://' URL.

WHAT DOMAINS/URLS ARE CHECKED

Company domain and product URL specified in Drata. The Drata company domain may not include the http or https protocol, or the www subdomain. This means Drata is testing the SSL certificate on that domain specifically.

WHAT IT DOES

Tests non-SSL hosts (port 80) to make sure there is a redirect to the SSL/TLS-protected url. i.e. http://drata.com redirects to https://drata.com

WHY ARE WE TESTING THIS?

To ensure that clients cannot access the website over an unencrypted connection. All data sent to/from the website should be encrypted.

WHAT TO CHECK IF IT FAILS

Open the non-SSL url in a browser, i.e. http://drata.com. You will see a lock in the browser location bar and if you click in the location bar, you will see it now says https://drata.com:

User-uploaded Image

REMEDIATION

Add a listener on port 80 on your web server or load balancer and return a 301 redirect to port 443.

HELPFUL RESOURCES

Did this answer your question?