We had a PCI compliance scan, and it comes back with an item that states "Web application Transmits Login Credentials Without Encryption". The evidence is "ipaddress/.../Blogs.svc".
This file does not exist on the server. I do not see it listed in the csproj file on the server.
If I go to the URL, then I will get username/password prompt, but only if I use HTTP. If I use local admin credentials it will pass them through, but will go to a 404 error.
Any ideas on where the PCI scan is getting this Blogs.svc page?