Usage of insecure HTTP connection

• Rule ID: ruby_lang_http_insecure
• Languages: ruby
• Source: http_insecure.yml

Description

Your application is at risk when it connects to APIs using insecure HTTP connections. This vulnerability occurs because HTTP does not encrypt data, making it susceptible to interception and alteration. Ensure that your application uses HTTPS, which encrypts data in transit, for all connections.

Remediations

• Do not use unsecured HTTP connections for outgoing communications, particularly when making API calls.

  response = HTTParty.get('http://insecure-api.com') # unsafe

• Do ensure all connections are made through HTTPS to protect data in transit with encryption.

  response = HTTParty.get('https://secure-api.com')

References

• OWASP insecure transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_http_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_http_insecure