Ensure we use https://

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > Ensure we use https://

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: go-security/http-request-secure

Language: Go

Severity: Warning

Category: Security

CWE: 319

Description

Making HTTP requests (using http://) instead of HTTPS requests (using https://) can pose security risks, as information transmitted over HTTP is not encrypted and can be easily intercepted by malicious actors. This could potentially lead to sensitive data being exposed, such as login credentials or personal information.

To avoid this security risk, it’s important to always make HTTP requests using HTTPS. This ensures that the data being transmitted is encrypted, offering a higher level of security and protecting sensitive information.

To follow best practices and avoid making HTTP requests, developers should:

Always specify https:// in URIs when making API calls or requesting resources.
Use libraries or frameworks that automatically default to HTTPS for requests.
Implement a Content Security Policy (CSP) on web applications to enforce secure connections.
Avoid hardcoding URLs and consider using environment variables to store and retrieve URLs dynamically.

By following these practices, developers can enhance the security of their applications and protect sensitive data from potential threats.

Non-Compliant Code Examples

func main () {
    response, err := http.Get("http://www.datadoghq.com")
    response, err := http.Head("http://www.datadoghq.com", something, somethingElse)
    response, err := http.Post("http://www.datadoghq.com")
    response, err := http.PostForm("http://www.datadoghq.com", myForm)

    response, err := http.PostForm("http://domain.tld/localhost", myForm)

}

Compliant Code Examples

func main () {
    response, err := http.Get("https://www.datadoghq.com")
    response, err := http.Head("https://www.datadoghq.com", something, somethingElse)
    response, err := http.Post("https://www.datadoghq.com")
    response, err := http.PostForm("https://www.datadoghq.com", myForm)

    response, err := http.PostForm("http://localhost", myForm)
    response, err := http.PostForm("http://127.0.0.1", myForm)
}