HTTPS Content Available via HTTP

It means that the content which is accessible through HTTPS URLs can also be accessed through insecure HTTP URLs. It can result in the appearance of mixed content pages, that is HTTPS page that includes some insecure HTTP resources.

The resources can be unable to alter any elements of the webpage, in which case we call them "passive mixed content" (images for example) or capable of doing so, in which case they are called "active mixed content" (Javascript files for example). Web browsers will usually prevent mixed content from loading and display mixed content warnings or mixed content errors in the console.

HTTP connections are considered insecure. Using those may lead to many attacks like cookie hijacking or man in the middle and then performing further attacks such as stealing user session or modifying the content shared between the service and the user.

Make sure you enable HTTPS on your server.

Make sure to redirect all requests from HTTP to HTTPS site wide.

Disable option of enforcing HTTP by web browser.

Ensure that the web server, application server, load balancer etc. are configured to serve the secure content only via HTTPS.

Consider implementing HTTP Strict Transport Security.

ScanRepeat checks whether HTTPS content is also available through HTTP. It reports every occurrence of such a vulnerability providing both HTTPS and HTTP URLs.