Missing secure HTTP server configuration

• Rule ID: ruby_rails_insecure_communication
• Languages: ruby
• Source: insecure_communication.yml

Description

Your application may be at risk if it does not enforce the use of SSL (Secure Sockets Layer) for all communications, especially when processing sensitive data. Be sure to enable force_ssl at the application level to ensure that all data transmitted is encrypted. Unencrypted HTTP communication sends all requests as plain text, meaning anyone listening in can see all the traffic and extract user data.

Remediations

• Do enforce SSL to secure all data in transit. This is crucial for protecting sensitive information from eavesdropping or interception.

  config.force_ssl = true

• Do not allow unencrypted HTTP traffic for your application. Unencrypted communications can be intercepted, exposing sensitive user data to attackers.

References

• Configuring Rails Applications - Ruby on Rails Guides
• Session Hijacking - Ruby on Rails Guides

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_insecure_communication

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_insecure_communication