-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUseOfHttp.qhelp
More file actions
48 lines (36 loc) · 1.58 KB
/
UseOfHttp.qhelp
File metadata and controls
48 lines (36 loc) · 1.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Constructing URLs with the HTTP protocol can lead to unsecured connections.</p>
<p>Furthermore, constructing URLs with the HTTP protocol can create problems if other parts of the
code expect HTTPS URLs. A typical pattern is to use libraries that expect secure connections,
which may fail or fall back to insecure behavior when provided with HTTP URLs instead of HTTPS URLs.</p>
</overview>
<recommendation>
<p>When you construct a URL for network requests, ensure that you use an HTTPS URL rather than an HTTP URL.
Then, any connections that are made using that URL are secure SSL/TLS connections.</p>
</recommendation>
<example>
<p>The following example shows two ways of making a network request using a URL. When the request is
made using an HTTP URL rather than an HTTPS URL, the connection is unsecured and can be intercepted
by attackers. When the request is made using an HTTPS URL, the connection is a secure SSL/TLS connection.</p>
<sample src="UseOfHttpBad.rs" />
<p>A better approach is to use HTTPS:</p>
<sample src="UseOfHttpGood.rs" />
</example>
<references>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html">Transport Layer Protection Cheat Sheet</a>.
</li>
<li>
OWASP Top 10:
<a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">A08:2021 - Software and Data Integrity Failures</a>.
</li>
<li>Rust reqwest documentation:
<a href="https://docs.rs/reqwest/">reqwest crate</a>.
</li>
</references>
</qhelp>