Port 8443 · HTTPS (alt)
Port 8443 is the alt-HTTPS analog of 8080. Same considerations — risk depends entirely on what's listening.
What runs on port 8443
Port 8443 is a conventional alternate HTTPS port. Used by reverse proxies, application server admin interfaces, and any scenario where 443 is occupied by a primary service. The TLS handshake is the same as on 443; only the port number differs.
Why public exposure is dangerous
Same set of risks as 8080, mitigated by the TLS encryption layer. The remaining risks are around what's exposed at the application layer — Tomcat manager consoles, Jenkins, Confluence admin pages, internal dashboards on 8443 with weak authentication. Several historical breaches of corporate intranets traced to admin consoles inadvertently published on 8443.
How to lock it down
Audit the listener. Public production endpoints on 8443 are fine if they're hardened the same way as 443 — current TLS, authentication, abuse-resistant configuration. Admin / internal services should bind to a private network, not a public interface.
When public exposure is legitimate
Reverse-proxy upstreams, multi-tenant load balancers running on alternate ports, public APIs deliberately served on 8443. As with 8080, presence is not a finding; configuration is.
Other ports DomainCare scans
- :3306 MySQL — MySQL listens on port 3306 by default. Public exposure is a critical data-leak risk.
- :5432 PostgreSQL — PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
- :6379 Redis — Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
- :27017 MongoDB — MongoDB listens on port 27017 by default. Historically responsible for the largest single data-leak class — pre-3.0 builds shipped without authentication enabled.