Failure to use HTTPS URLs¶

ID: cpp/non-https-url
Kind: path-problem
Security severity: 8.1
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-319
   - external/cwe/cwe-345
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Constructing URLs with the HTTP protocol can lead to unsecured connections.

Recommendation¶

When you construct a URL, ensure that you use an HTTPS URL rather than an HTTP URL. Then, any connections that are made using that URL are secure SSL connections.

Example¶

The following example shows two ways of opening a connection using a URL. When the connection is opened using an HTTP URL rather than an HTTPS URL, the connection is unsecured. When the connection is opened using an HTTPS URL, the connection is a secure SSL connection.

void openUrl(char *url)
{
	// ...
}

openUrl("http://example.com"); // BAD

openUrl("https://example.com"); // GOOD: Opening a connection to a URL using HTTPS enforces SSL.

References¶

OWASP: Transport Layer Protection Cheat Sheet.
OWASP Top 10: A08:2021 - Software and Data Integrity Failures.
Common Weakness Enumeration: CWE-319.
Common Weakness Enumeration: CWE-345.

© GitHub, Inc.
Terms
Privacy

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy