This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: go-security/http-request-secure

Language: Go

Severity: Warning

Category: Security

CWE: 319

Description

Making HTTP requests (using http://) instead of HTTPS requests (using https://) can pose security risks, as information transmitted over HTTP is not encrypted and can be easily intercepted by malicious actors. This could potentially lead to sensitive data being exposed, such as login credentials or personal information.

To avoid this security risk, it’s important to always make HTTP requests using HTTPS. This ensures that the data being transmitted is encrypted, offering a higher level of security and protecting sensitive information.

To follow best practices and avoid making HTTP requests, developers should:

  1. Always specify https:// in URIs when making API calls or requesting resources.
  2. Use libraries or frameworks that automatically default to HTTPS for requests.
  3. Implement a Content Security Policy (CSP) on web applications to enforce secure connections.
  4. Avoid hardcoding URLs and consider using environment variables to store and retrieve URLs dynamically.

By following these practices, developers can enhance the security of their applications and protect sensitive data from potential threats.

Non-Compliant Code Examples

func main () {
    response, err := http.Get("http://www.datadoghq.com")
    response, err := http.Head("http://www.datadoghq.com", something, somethingElse)
    response, err := http.Post("http://www.datadoghq.com")
    response, err := http.PostForm("http://www.datadoghq.com", myForm)

    response, err := http.PostForm("http://domain.tld/localhost", myForm)

}

Compliant Code Examples

func main () {
    response, err := http.Get("https://www.datadoghq.com")
    response, err := http.Head("https://www.datadoghq.com", something, somethingElse)
    response, err := http.Post("https://www.datadoghq.com")
    response, err := http.PostForm("https://www.datadoghq.com", myForm)

    response, err := http.PostForm("http://localhost", myForm)
    response, err := http.PostForm("http://127.0.0.1", myForm)
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes