Load balancer listener serves plain HTTP
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A listener with protocol "HTTP" carries traffic, including credentials and session cookies, in cleartext, where it can be read or modified on the network path.
Why it matters
A listener with protocol "HTTP" carries all traffic in cleartext, so credentials, session cookies, and API tokens can be read or altered by anyone on the network path between the client and the load balancer. Modern services should be HTTPS only, with plain HTTP used solely to redirect to HTTPS.
How to fix it
Change the listener protocol to "HTTPS" (or "TLS") and attach an ACM certificate via certificate_arn with a strong ssl_policy. Keep a port 80 listener only as a redirect that sends clients to 443. Terminate TLS at the load balancer and, for sensitive traffic, re-encrypt to the targets.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo