- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: go-security/grpc-server-insecure
Language: Go
Severity: Info
Category: Security
CWE: 300
The provided code snippet creates a new gRPC server instance without any transport security options, which makes it insecure. By default, the server will use an insecure communication channel, allowing data to be transmitted without encryption.
To fix this security issue, it is crucial to enable transport security using TLS (Transport Layer Security) in the gRPC server. Here’s an example of how the code can be updated to ensure a secure connection:
tlsCredentials, err := credentials.NewServerTLSFromFile("cert.pem", "key.pem")
if err != nil {
// handle error
}
s := grpc.NewServer(grpc.Creds(tlsCredentials))
In the updated code, TLS credentials are loaded from the “cert.pem” and “key.pem” files. These credentials contain the server’s certificate and private key necessary for TLS encryption. By passing the TLS credentials to grpc.Creds()
, the gRPC server is configured to use transport security, ensuring that all incoming connections are secured.
It is important to generate valid TLS certificates and private keys from a trusted certificate authority (CA), or self-sign the certificates for development/testing purposes. Additionally, make sure to keep the private key file secure and protect it from unauthorized access.
Enabling transport security with TLS in the gRPC server helps protect sensitive data exchanged between clients and the server by encrypting it, preventing unauthorized users from intercepting or tampering with the communication.
func main() {
s := grpc.NewServer()
}
func main() {
options := []grpc.ServerOption{
grpc.Creds(credentials.NewClientTLSFromCert(ceertificatePool, address)),
}
server := grpc.NewServer(options...)
}
// filename is not_compliant_test.go
func main() {
s := grpc.NewServer()
}