Usage of insecure HTTP connection

Description

Your application is at risk when it connects to APIs using insecure HTTP connections. This vulnerability occurs because HTTP lacks encryption, making data susceptible to interception and alteration. Always verify that your application exclusively uses HTTPS connections for enhanced security.

Remediations

  • Do not initiate connections using unsecured HTTP. This exposes your data to potential interception and manipulation.
    $curl = curl_init('http://insecure-api.com'); // unsafe
  • Do ensure all connections are made through HTTPS to encrypt data and protect against eavesdropping and tampering.
    $curl = curl_init('https://secure-api.com');

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_http_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_http_insecure