STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274497

CAT II (Medium)

The API must encrypt data in transit.

Rule ID

SV-274497r1142303_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-000068

Discussion

An API must ensure sensitive tokens, including both internal and user-specific tokens, are transmitted over secure channels using HTTPS to protect them from being intercepted during transit. HTTPS encrypts the data being transmitted between the client and the server, ensuring tokens are securely transmitted and cannot be easily accessed by attackers, even if they intercept the communication (e.g., through man-in-the-middle attacks). This encryption is essential for maintaining the confidentiality and integrity of sensitive information, preventing unauthorized access to the API or its services. Without HTTPS, tokens are vulnerable to exposure, potentially allowing malicious actors to hijack sessions, impersonate users, or gain unauthorized access to internal systems, compromising both security and privacy.

Check Content

API must verify sensitive tokens are transmitted over secure channels using HTTPS. This includes both internal and user-specific tokens.

If data being transmitted between the client and server is not using HTTPS, this is a finding.

Fix Text

Build or configure the API server to automatically redirect any HTTP request to HTTPS. This ensures all communication with the API is encrypted by default.