Secure Web Content with HTTPS Only
Ensure all web content is delivered over a secure HTTPS connection.
Plain language
This control means that any content from your website must be delivered through a secure connection, specifically HTTPS, which protects data as it moves between your website and its visitors. Using HTTPS is important because it keeps sensitive information, like personal details and payment data, safe from hackers; if not done, your customers could be at risk of identity theft or fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
All web application content is offered exclusively using HTTPS.
Why it matters
Without HTTPS, credentials and session cookies can be intercepted or altered in transit, leading to account compromise, data breaches and reputational damage.
Operational notes
Enforce HTTPS-only via HSTS and redirects; monitor TLS certificate expiry; and regularly scan for any HTTP resources/mixed content across web pages and APIs.
Implementation tips
- Business owners should ensure their website is set up to use HTTPS. This can be done by purchasing an SSL (Secure Sockets Layer) certificate from a trusted provider and installing it on your server to encrypt data.
- The IT team should monitor the website to ensure HTTPS is consistently applied. This involves checking that all pages automatically redirect from HTTP to HTTPS, which can usually be done through server settings or using a plugin for your website platform.
- Managers should ensure staff are informed about why using HTTPS is important. Hold a brief training session to explain how HTTPS protects data and to heighten awareness of its role in security.
- Web developers should configure the Content Security Policy to ensure that all resources that the website loads, such as scripts and images, are also served over HTTPS. This requires updating the website’s codebase to adhere to HTTPS protocols.
- IT support should regularly review and renew SSL certificates before they expire. Set up calendar reminders and automatic renewals with your certificate issuer to avoid lapses.
Audit / evidence tips
-
Askthe website's SSL certificate details: Request documentation that shows the purchase and installation of an SSL certificate
-
Askweb server configuration settings: Request a demonstration or a screenshot of server settings showing HTTPS redirection. Check that HTTP requests are automatically redirected to HTTPS. Good means every HTTP request is captured and redirected smoothly
-
Aska network traffic report: Request logs or reports showing traffic patterns
-
Aska content security policy record: Request documentation on the policies set up to enforce HTTPS. Check for rules that mandate all script, image, and resource loading over HTTPS. Good means all resources conform to HTTPS protocols
-
Askthe SSL expiry monitoring system: Request evidence of tracking SSL certificate expiry
Goodautomated systems or alerts that prevent certificate expiry problems
Cross-framework mappings
How ISM-1552 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.26 | ISM-1552 requires all web application content to be delivered exclusively using HTTPS to protect confidentiality and integrity in transit | |
| extension Depends on (1) expand_less | ||
| Annex A 8.9 | ISM-1552 requires organisations to configure web applications and associated services so content is delivered only via HTTPS | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.