nmap -sV -p 80 target
nmap -sV -sC --script=banner -p 80 target
nc -zv target 80
nmap -sV to identify the exact service and versionsearchsploit http to find known exploitsHTTP on port 80 is the original unencrypted web protocol. Every browser, mobile app, IoT device, and server speaks it. In 2026 it should almost never be the final destination — modern web traffic should be HTTPS (port 443) for encryption, with port 80 redirecting to 443 for compatibility with browsers and clients that try HTTP first.
The fundamental security problem with port 80 is cleartext transmission. Anyone on the network path between client and server can read every request and response — credentials in form submissions, session cookies in headers, page content in responses. This was acceptable in the 1990s when most internet was browsed from trusted networks; it became unacceptable as wifi spread and surveillance became routine. Modern defaults assume any HTTP traffic is observable by attackers.
The standard pattern in 2026: serve port 80 only to issue a 301 Permanent Redirect to HTTPS, then HSTS (HTTP Strict Transport Security) header on the HTTPS response tells browsers to never try HTTP again for that domain. After the first visit, browsers refuse plain HTTP entirely for HSTS-protected domains. Some major sites (banks, government, security-focused services) preload HSTS into the browser binary so even the first visit is HTTPS-only.
During web app pentesting, verify that port 80 properly redirects to 443 with appropriate HSTS headers. Common findings: redirects use 302 instead of 301 (browsers do not cache the redirect), HSTS missing or has too-short max-age, includeSubDomains missing leaving subdomains attackable, or the redirect goes to HTTP instead of HTTPS (configuration bug). Each of these is a valid bug-bounty finding for security-focused targets.
Monitor outbound HTTP traffic from your network for password-like form submissions. Modern phishing pages still occasionally use HTTP for the credential capture step (poor opsec by attackers). Detection: look for POST requests to unusual hosts containing form fields named "password", "pass", "pwd", or similar.
Many IoT devices, network printers, and embedded systems still serve management interfaces on HTTP port 80 (no HTTPS support). Pentest finding: any management interface accepting authentication over HTTP is a critical finding because the credentials are observable on the network. Mitigation when HTTPS upgrade is not possible: restrict access to a management VLAN, require VPN to reach the device.
Live demonstration of Wireshark capturing an HTTP login on a training network is one of the most effective ways to convey why HTTPS matters. Trainees see their own (or instructor's) password appear in cleartext in the captured packets. Concrete and visceral in a way that abstract security advice cannot match.
When investigating data exfiltration, HTTP to unusual destinations is a strong signal. Many malware families use HTTP POST to attacker-controlled servers for exfiltration because it is allowed through firewalls (most outbound HTTP is allowed) and the C2 infrastructure is cheap to set up. Network logs showing HTTP POST to recently-registered domains warrant investigation.
Any user reaching your site via HTTP gets unencrypted content. If they log in, credentials are observable. If session cookies are sent, they are stealable. If page content is sensitive, anyone on the network sees it. The fix is mechanical: configure web server to 301 redirect all port 80 traffic to the HTTPS equivalent. Five minutes of work, dramatic security improvement.
302 (temporary) redirects are not cached by browsers, so every page load re-checks HTTP first. 301 (permanent) tells browsers to update bookmarks and cache the redirect — subsequent visits go directly to HTTPS. Performance and security both benefit from 301.
Without HSTS, an attacker on the network can intercept the first HTTP request a user makes and serve a malicious response (the redirect can be removed). Once the user is on HTTPS legitimately, the HSTS header tells the browser "never try HTTP again". Without it, the downgrade-attack window stays open forever.
An HTTPS page that includes HTTP-served images, scripts, or stylesheets has the worst of both worlds — the HTTP resources can be intercepted/modified by network attackers, and modern browsers either block them or display warnings that hurt user trust. Audit your pages for any http:// URLs in src/href attributes; convert all to https:// or protocol-relative //example.com/....
Common misconfiguration: Cloudflare serves HTTPS to users, then proxies to origin via HTTP. Anyone with access to the Cloudflare-to-origin network path (cloud provider, hosting employee) can read the cleartext traffic. Configure Cloudflare to use "Full (Strict)" SSL mode and serve HTTPS on origin too.
If you completely disable port 80, users typing your domain into a browser get connection refused (browsers default to HTTP unless told otherwise). The 301 redirect from HTTP to HTTPS is what makes the user experience smooth. Disable HTTP after HSTS has been deployed and preloaded; before that, the redirect is what bridges the gap.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload) that tells browsers to never use HTTP for this domain again. After receiving HSTS, the browser converts all http:// URLs to https:// automatically and refuses to fall back to HTTP even if explicitly requested. This eliminates downgrade attacks where a network attacker intercepts the first HTTP request.http://example.com:8080/ explicitly. Port 8080 is otherwise just HTTP — same security implications, same protocol.ws:// scheme (cleartext) vs wss:// (encrypted, port 443). Same security trade-off as HTTP vs HTTPS: ws:// is observable on the network, wss:// is encrypted. Modern apps should use wss:// exclusively. Browsers refuse ws:// connections from HTTPS pages (mixed content blocking).curl -I http://example.com/ — should return HTTP/1.1 301 Moved Permanently with Location: https://example.com/. Then curl -I https://example.com/ should return 200 with the Strict-Transport-Security header present. Use hstspreload.org for full HSTS configuration validation. The Hacker Scorecard tool also checks all of this./.well-known/acme-challenge/ path used by Let's Encrypt for certificate validation — this needs port 80 open during certificate issuance/renewal. Some IoT and embedded systems lack TLS support entirely. For internal-only services on private networks, HTTP is sometimes acceptable when the network itself is trusted (though this is increasingly seen as bad practice — zero-trust assumes networks are not trusted). For internet-facing services serving real users, HTTPS is the only acceptable choice in 2026.