Secure Transport: use RequiresSecure to enforce HTTPS :: Recipe Details

Recipe Name:

Secure Transport: use RequiresSecure to enforce HTTPS

Description:

Serve requests over HTTPS instead of unencrypted HTTP

Level:

error

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security
OWASP Top 10

Documentation

For security reasons it is recommended to serve requests over HTTPS, instead of unencrypted HTTP.

Before

http.requiresChannel().anyRequest().requiresInsecure();

After

http.requiresChannel().anyRequest().requiresSecure();

References

Recipe

id: scw:spring:security:RequiresInsecure
version: 10
metadata:
  name: 'Secure Transport: use RequiresSecure to enforce HTTPS'
  shortDescription: Serve requests over HTTPS instead of unencrypted HTTP
  level: error
  language: java
  scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
  enabled: true
  descriptionFile: descriptions/SecureTransportuseRequiresSecuretoenforceHTTPS.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    name: requiresInsecure
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.RequiresChannelUrl
availableFixes:
- name: Set to requiresSecure()
  actions:
  - rewrite:
      to: '{{{ qualifier }}}.requiresSecure()'