Sensei Logo Sensei Hub

Recipe - Secure Transport: use RequiresSecure to enforce HTTPS

Description:
Serve requests over HTTPS instead of unencrypted HTTP
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

For security reasons it is recommended to serve requests over HTTPS, instead of unencrypted HTTP.

Before
http.requiresChannel().anyRequest().requiresInsecure();
After
http.requiresChannel().anyRequest().requiresSecure();
References
Recipe
id: scw:spring:security:RequiresInsecure
version: 10
metadata:
  name: 'Secure Transport: use RequiresSecure to enforce HTTPS'
  shortDescription: Serve requests over HTTPS instead of unencrypted HTTP
  level: error
  language: java
  scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
  enabled: true
  descriptionFile: descriptions/SecureTransportuseRequiresSecuretoenforceHTTPS.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    name: requiresInsecure
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.RequiresChannelUrl
availableFixes:
- name: Set to requiresSecure()
  actions:
  - rewrite:
      to: '{{{ qualifier }}}.requiresSecure()'