Vulnerability over the use of port 80


We are facing problems with our security department. They found a vulnerability over the use of port 80 (Weak protocol found port 80 (HTTP) was found open).

When we remove this bidding (Port 80) on IIS, the service center and other services stop working correctly.

** Our infrastructure is basic. We have only 1 server as Controller and Front-End at the same time.


Hi Christian,

It sounds like your infrastructure is accessible through HTTP, instead of forcing an HTTPS connection (you could validate this by deliberately accessing ServiceCenter through an HTTP URL). This can be a security risk because it allows users to receive and transmit information in your infrastructure in a clear text channel, without encryption.

It's possible to configure IIS to enforce HTTPS even if a user attempts to access a resource through HTTP, but this should be coordinated with your security department and your infrastructure department - I'm assuming your OutSystems server is on premise, and not cloud.

Thanks for your reply,

Yes, We are On Premises installation.

That option don't worked.

When Port 80 Bidding is removed or force HTTPS on IIS, like you suggest, some services stop working correctly.

Yesterday, Outsystems reply us, that this Port is part of the installation requirements.

"Port 80 is part of OutSystems Network Requirements so before-hand we expect our customers to be able to comply with these base-requirements."


Sorry Christian, I was mistaken in my second paragraph - forcing HTTPS for the entire environment is possible, but it's a Lifetime setting. If you don't have Lifetime, you can still enable HTTPS at an application level.

However, not knowing how your security department conducts their testing, I don't know if using this setting will change their findings. An open port is a possible vulnerability, but other variables must be taken into account, like risk. After enabling the above setting, every user is forced to interact with the environment through HTTPS - even if they still detect the port, the risk changes to near zero.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.