Usage of insecure HTTP connection

• Rule ID: javascript_lang_http_insecure
• Languages: javascript
• Source: http_insecure.yml

Description

Applications should only connect to API using HTTPS connections. This rule checks that all HTTP connections use HTTPS.

❌ Avoid using unsecured outgoing HTTP communication, especially in the context of API calls:

const response = axios.get('http://insecure-api.com')

✅ Ensure to always connect though HTTPS:

const response = axios.get('https://secure-api.com')

Resources

• OWASP insecure transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_http_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_http_insecure