Usage of insecure HTTP connection
- Rule ID: php_lang_http_insecure
- Languages: php
- Source: http_insecure.yml
Description
Your application is at risk when it connects to APIs using insecure HTTP connections. This vulnerability occurs because HTTP lacks encryption, making data susceptible to interception and alteration. Always verify that your application exclusively uses HTTPS connections for enhanced security.
Remediations
- Do not initiate connections using unsecured HTTP. This exposes your data to potential interception and manipulation.
$curl = curl_init('http://insecure-api.com'); // unsafe
- Do ensure all connections are made through HTTPS to encrypt data and protect against eavesdropping and tampering.
$curl = curl_init('https://secure-api.com');
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_lang_http_insecure
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_lang_http_insecure