Recipe Name:
Should use requiresSecure
Description:
Use of HTTP instead of HTTPS is insecure
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

Use requiresSecure() to enforce HTTPS connection

Sensitive data should be encrypted at all times, including in transit and at rest. HTTPS links are a synonym of web page authenticity, hence its lack increases vulnerability.

Before
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.requiresChannel().anyRequest();
}
After
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.requiresChannel().anyRequest().requiresSecure();
}
References
Recipe
id: scw:spring:security:RequiresSecure-missing
version: 10
metadata:
  name: Should use requiresSecure
  shortDescription: Use of HTTP instead of HTTPS is insecure
  level: error
  language: java
  scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
  enabled: true
  descriptionFile: descriptions/DonotacceptanythingovernonHTTPSconnections.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    not:
      followedBy:
        methodcall:
          name: requiresSecure
    in:
      method:
        in:
          typeDeclaration:
            super:
              name: WebSecurityConfigurerAdapter
        name: configure
        parameters:
          1:
            type: HttpSecurity
    type:
      reference:
        matches: org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer<.*>.ChannelRequestMatcherRegistry
      checkInheritance: true
availableFixes:
- name: Append requiresSecure method call
  actions:
  - addMethodCall:
      name: requiresSecure
      position: first-available-spot
      useMethodChaining: true