Usage of insecure HTTP connection

• Rule ID: php_lang_http_insecure
• Languages: php
• Source: http_insecure.yml

Description

Your application is at risk when it connects to APIs using insecure HTTP connections. This vulnerability occurs because HTTP lacks encryption, making data susceptible to interception and alteration. Always verify that your application exclusively uses HTTPS connections for enhanced security.

Remediations

• Do not initiate connections using unsecured HTTP. This exposes your data to potential interception and manipulation.

  $curl = curl_init('http://insecure-api.com'); // unsafe

• Do ensure all connections are made through HTTPS to encrypt data and protect against eavesdropping and tampering.

  $curl = curl_init('https://secure-api.com');

References

• OWASP insecure transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_http_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_http_insecure