Usage of insecure HTTP connection

• Rule ID: javascript_lang_http_insecure
• Languages: javascript
• Source: http_insecure.yml

Description

Your application is at risk when it connects to APIs using insecure HTTP connections. This vulnerability occurs because HTTP does not encrypt data, making it susceptible to interception and alteration. Ensure that your application uses HTTPS, which encrypts data in transit, for all connections.

Remediations

• Do not use HTTP for outgoing connections or API calls. This practice leaves your data vulnerable to eavesdropping and tampering.

  const response = axios.get('http://insecure-api.com') // unsafe

• Do ensure all external connections, especially API calls, use HTTPS to protect data in transit.

  const response = axios.get('https://secure-api.com')

References

• OWASP insecure transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_http_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_http_insecure