Drata

This test is part of the <b>SSL/TLS Enforced </b>control that ensures all connections to your company web application from users are encrypted and using SSL/TLS. Drata will confirm that SSL/TLS configurations are used to encrypt all data in transit with your web application.

Company domain and product URL specified in Drata. The Drata company domain may not include the <code>http</code> or <code>https</code> protocol, or the <code>www</code> subdomain. This means Drata is testing the SSL certificate on that domain specifically.

Tests that the server rejects older SSL and TLS protocols. Also checks that the SSL/TLS certificate is valid and that the hostname on the certificate matches the domain above.

Most browsers will display an error and possibly block users from visiting a site with known issues with the SSL/TLS configuration. This can lead to exposing sensitive data to an attacker.

A modern browser will show an error in the location bar if there is an issue with the SSL/TLS connection. Open your browser with the domains/urls above and inspect the lock icon in the location bar.

Since this test covers a wide range of issues, remediation will be specific to each case. Common troubleshooting paths include:

Verify if you possess and have bundled your intermediate certificates within your SSL chain

Verify that all SSL certificates installed on your domain were actually created for that same domain

Verify that you have <a href="https://help.drata.com/en/articles/4776181-test-ssl-tls-enforced-on-company-website">set up a redirect</a> from port 80 (http) to port 443 (https) on your domain

- Verify that this listener has been set up on the "raw" version of your domain, i.e. <a href="http://domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>domain.com</code></a> as opposed to only having a listener on <a href="http://domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>http://domain.com</code></a> or <a href="http://www.domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>www.domain.com</code></a> or <a href="http://www.domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>http://www.domain.com</code></a>

Verify that you do not have any DNS rules ignoring or rejecting requests from <a href="https://help.drata.com/en/articles/5411182-dratabot">Drata's user agent or IP address</a>

Verify that your DNS and/or hosting provider do not have inconsistent or unsustained connections when receiving first requests from Drata's user agent or IP address

- Verify if you possess and have bundled your intermediate certificates within your SSL chain
- Verify that all SSL certificates installed on your domain were actually created for that same domain
- Verify that you have <a href="https://help.drata.com/en/articles/4776181-test-ssl-tls-enforced-on-company-website">set up a redirect</a> from port 80 (http) to port 443 (https) on your domain
  - Verify that this listener has been set up on the "raw" version of your domain, i.e. <a href="http://domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>domain.com</code></a> as opposed to only having a listener on <a href="http://domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>http://domain.com</code></a> or <a href="http://www.domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>www.domain.com</code></a> or <a href="http://www.domain.com/" rel="nofollow noopener noreferrer" target="_blank"><code>http://www.domain.com</code></a>
- Verify that you do not have any DNS rules ignoring or rejecting requests from <a href="https://help.drata.com/en/articles/5411182-dratabot">Drata's user agent or IP address</a>
- Verify that your DNS and/or hosting provider do not have inconsistent or unsustained connections when receiving first requests from Drata's user agent or IP address

<a href="https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/" rel="nofollow noopener noreferrer" target="_blank">Why is HTTP not secure?</a>

<a href="https://www.smashingmagazine.com/2017/06/guide-switching-http-https/" rel="nofollow noopener noreferrer" target="_blank">Switching from HTTP to HTTPS</a>

- <a href="https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/" rel="nofollow noopener noreferrer" target="_blank">Why is HTTP not secure?</a>
- <a href="https://www.ssl.com/faqs/faq-what-is-ssl/" rel="nofollow noopener noreferrer" target="_blank">What is SSL/TLS?</a>
- <a href="https://www.smashingmagazine.com/2017/06/guide-switching-http-https/" rel="nofollow noopener noreferrer" target="_blank">Switching from HTTP to HTTPS</a>

Drata makes a request to your company website to inspect its SSL/TLS configurations and determine if there are any known issues