Secure Transport: use RequiresSecure to enforce HTTPS on all paths :: Recipe Details

Recipe Name:

Secure Transport: use RequiresSecure to enforce HTTPS on all paths

Description:

Enforce HTTPS on all requests, not just on a selected number

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security
OWASP Top 10

Documentation

For security reasons, it is recommended to serve requests over HTTPS, instead of unencrypted HTTP.

Before

http.requiresChannel().antMatchers("/pattern").requiresSecure();

After

http.requiresChannel().requiresSecure();

References

Recipe

id: scw:spring:security:RequiresSecure-allpaths
version: 10
metadata:
  name: 'Secure Transport: use RequiresSecure to enforce HTTPS on all paths'
  shortDescription: Enforce HTTPS on all requests, not just on a selected number
  level: warning
  language: java
  scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
  enabled: true
  descriptionFile: descriptions/SecureTransportuseRequiresSecureonallpaths.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
    followedBy:
      methodcall:
        name: requiresSecure
    name: antMatchers
    declaration:
      type: org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry
    "on":
      methodcall:
        name: requiresChannel
availableFixes:
- name: Apply requiresChannel to all paths
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'