---
title: HTTP request used instead of HTTPS
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > HTTP request used instead of HTTPS
---

# HTTP request used instead of HTTPS

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `rust-security/http-insecure-request`

**Language:** Rust

**Severity:** Warning

**Category:** Security

**CWE**: [319](https://cwe.mitre.org/data/definitions/319.html)

**Related CWEs**:

- [1428](https://cwe.mitre.org/data/definitions/1428.html)

## Description{% #description %}

Making HTTP requests instead of HTTPS transmits data in cleartext over the network, exposing credentials, tokens, and payloads to any passive observer on the network path. Use `https://` URLs unconditionally for external connections.

#### Learn More{% #learn-more %}

- [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```rust
use reqwest::Client;

async fn bad_calls() -> reqwest::Result<()> {
    let client = Client::new();
    let _ = client.get("http://api.example.com").send().await?;
    let _ = client.post("http://api.example.com/users").send().await?;

    // Module-level call
    let _ = reqwest::get("http://api.example.com").await?;
    let _ = reqwest::get(r"http://api.example.com").await?;

    // ureq call
    let _ = ureq::get("http://api.example.com").call()?;
    Ok(())
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```rust
use reqwest::Client;

async fn ok_calls() -> reqwest::Result<()> {
    let client = Client::new();
    let _ = client.get("https://api.example.com").send().await?;
    let _ = client.post("https://api.example.com/users").send().await?;
    let _ = reqwest::get("https://api.example.com").await?;

    // Loopback addresses are allowed
    let _ = client.get("http://localhost:8080").send().await?;
    let _ = client.get("http://127.0.0.1:3000/health").send().await?;
    let _ = client.get("http://[::1]/status").send().await?;
    Ok(())
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}