HTTP communication with user-controlled destination detected.


Applications should not connect to locations formed from user input. This rule checks for URLs containing user-supplied data.


❌ Avoid using user input in HTTP URLs:

const response = axios.get(`https://${}`)

✅ Use user input indirectly to form a URL:

const hosts = new Map([
["option1", ""],
["option2", ""]

const host = hosts.get(
const response = axois.get(`https://${host}`)

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.