Sensei Logo Sensei Hub

Recipe - Secure Transport: use RequiresSecure to enforce HTTPS on all paths

Description:
Enforce HTTPS on all requests, not just on a selected number
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

For security reasons, it is recommended to serve requests over HTTPS, instead of unencrypted HTTP.

Before
http.requiresChannel().antMatchers("/pattern").requiresSecure();
After
http.requiresChannel().requiresSecure();
References
Recipe
id: scw:spring:security:RequiresSecure-allpaths
version: 10
metadata:
  name: 'Secure Transport: use RequiresSecure to enforce HTTPS on all paths'
  shortDescription: Enforce HTTPS on all requests, not just on a selected number
  level: warning
  language: java
  scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
  enabled: true
  descriptionFile: descriptions/SecureTransportuseRequiresSecureonallpaths.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
    followedBy:
      methodcall:
        name: requiresSecure
    name: antMatchers
    declaration:
      type: org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry
    "on":
      methodcall:
        name: requiresChannel
availableFixes:
- name: Apply requiresChannel to all paths
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'