For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-k3g.md. A documentation index is available at /llms.txt.

User signup endpoint without HTTPS

Description

This API endpoint allows the registration of new users into an application over a non-encrypted channel.

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access. Services must only provide HTTPS endpoints.

Rationale

This finding works by identifying an API that:

  • Is tracking a user signup business logic event (tag user.signup).
  • Uses an HTTP connection, sending data in the clear over the wire.

Remediation

  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References

ReferenceDescription
OWASP - Transport Layer Security Cheat SheetTransport Layer Security Cheat Sheet: guidance implementing transport layer protection for applications using Transport Layer Security (TLS).