Failure to use HTTPS URLs¶
ID: cpp/non-https-urlKind: path-problemSecurity severity: 8.1Severity: warningPrecision: highTags: - security - external/cwe/cwe-319 - external/cwe/cwe-345Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Constructing URLs with the HTTP protocol can lead to unsecured connections.
Recommendation¶
When you construct a URL, ensure that you use an HTTPS URL rather than an HTTP URL. Then, any connections that are made using that URL are secure SSL connections.
Example¶
The following example shows two ways of opening a connection using a URL. When the connection is opened using an HTTP URL rather than an HTTPS URL, the connection is unsecured. When the connection is opened using an HTTPS URL, the connection is a secure SSL connection.
voidopenUrl(char*url){// ...}openUrl("http://example.com");// BADopenUrl("https://example.com");// GOOD: Opening a connection to a URL using HTTPS enforces SSL.
References¶
OWASP Top 10:A08:2021 - Software and Data Integrity Failures.
Common Weakness Enumeration:CWE-319.
Common Weakness Enumeration:CWE-345.