Sensitive data sent through an unsecure HTTP communication detected.

• Rule ID: ruby_lang_http_post_insecure_with_data
• Languages: ruby
• Source: http_post_insecure_with_data.yml

Description

Sensitive data should only be sent through HTTPS. This rule checks that any transmissions over HTTP that contain sensitive data do so over HTTPS.

Remediations

❌ Avoid sending sensitive data though unsecured HTTP communication:

HTTParty.post(
  'http://unsecure-api.com/user',
  body: {
    name: user.name,
    email: user.email,
    purchase: File.open('/#{user.id}/purchase.xls')
  }
)

✅ Ensure to always connect though HTTPS when sending sensitive data:

HTTParty.post(
  'https://secure-api.com/user',
  body: {
    name: user.name,
    email: user.email,
    purchase: File.open('/#{user.id}/purchase.xls')
  }
)

Resources

• OWASP insecure transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures