Prevent use of http protocol

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

ID: ruby-security/no-http

Language: Ruby

Severity: Info

Category: Security

CWE: 319

Description

This rule is designed to prevent the use of the insecure HTTP protocol in your Ruby code. The HTTP protocol does not encrypt the data that is sent between the client and the server, which can lead to sensitive information being intercepted by malicious parties. This is particularly risky when dealing with sensitive data such as API keys, user credentials, or personal user information.

The importance of this rule lies in the security and integrity of your application. By using an unsecured protocol like HTTP, you expose your application and its users to potential data breaches. A breach can lead to loss of trust, legal liability, and significant remediation costs.

To avoid violating this rule, always use the HTTPS protocol when making network requests. HTTPS encrypts the data sent between the client and server, protecting it from interception. By using libraries like Faraday, HTTPX, HTTParty, RestClient, or Ruby’s built-in Net::HTTP, you can specify HTTPS by simply replacing ‘http://’ with ‘https://’. For example, instead of HTTP.get("http://example.org"), use HTTP.get("https://example.org"). Always ensure that any third-party services your application interacts with support HTTPS.

Non-Compliant Code Examples

require "faraday"
require 'uri'

params = {title: "foo", body: "bar", userID: 1}
encoded_params = URI.encode_www_form(params)
response = Faraday.post("http://example.org", encoded_params)
p response.body if response.status == 201

require "httpx"

response = HTTPX.get("http://www.example.org")
puts response.body if response.status == 200

require "http"

response = HTTP.get("http://example.org", :params => {:api_key => "API_KEY"})
response = HTTP.post("http://example.org", :form => something)

require 'httparty'

response = HTTParty.get('http://example.org')
puts response.body if response.code == 200

response = HTTParty.get('http://example.com', format: :plain)
RestClient.post "http://example.com", {'x' => 1}.to_json, {content_type: :json, accept: :json}

require 'uri'
require 'net/http'

uri = URI('http://example.org')
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security