Recipe Name:
Should use requiresSecure
Description:
Use of HTTP instead of HTTPS is insecure
Level:
error
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Documentation
Use requiresSecure() to enforce HTTPS connection
Sensitive data should be encrypted at all times, including in transit and at rest. HTTPS links are a synonym of web page authenticity, hence its lack increases vulnerability.
Before@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().anyRequest();
}
After
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().anyRequest().requiresSecure();
}
References
Recipe
id: scw:spring:security:RequiresSecure-missing
version: 10
metadata:
name: Should use requiresSecure
shortDescription: Use of HTTP instead of HTTPS is insecure
level: error
language: java
scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
enabled: true
descriptionFile: descriptions/DonotacceptanythingovernonHTTPSconnections.html
tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
methodcall:
not:
followedBy:
methodcall:
name: requiresSecure
in:
method:
in:
typeDeclaration:
super:
name: WebSecurityConfigurerAdapter
name: configure
parameters:
1:
type: HttpSecurity
type:
reference:
matches: org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer<.*>.ChannelRequestMatcherRegistry
checkInheritance: true
availableFixes:
- name: Append requiresSecure method call
actions:
- addMethodCall:
name: requiresSecure
position: first-available-spot
useMethodChaining: true