Why this matters
Encryption in transit is a SOC 2 baseline control to protect confidentiality and integrity.
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
Encryption in transit is a SOC 2 baseline control to protect confidentiality and integrity.
Side-by-side examples engineers can pattern-match during review.
Response Header: Set-Cookie: sid=abc; HttpOnly
(no HSTS; accepts HTTP)Response Headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Set-Cookie: sid=abc; Secure; HttpOnly; SameSite=LaxStrict-Transport-Security: max-age=31536000; includeSubDomainsStrict-Transport-Security: max-age=0From the same buckets as this rule.