The path scheme is supports unencrypted HTTP connections
Description
This policy is checking to ensure that the path scheme of the application programming interface (API) does not support unencrypted HTTP connections. An unencrypted HTTP connection means that all data transmitted between the user and the website is sent in plaintext, which can be easily intercepted and read by third parties. This presents a significant security risk as sensitive data like personal information, passwords, credit card details, etc., could be exposed and exploited. Thus, it's extremely important to use encrypted connections, like HTTPS, to secure data in transit and protect against possible attacks.
Code Example
openapi: 3.0.0
info:
title: Sample API
description: API description in Markdown.
version: 1.0.0
servers:
- url: https://api.example.com/v1
paths:
/users:
get:
summary: Returns a list of users.
description: Optional extended description in Markdown.Remediation
OpenAPI
To fix the issue, you should ensure that your API supports only HTTPS connections and not HTTP. This can be done by defining the 'schemes' parameter in your OpenAPI definition to only contain 'https'.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1263 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_7 |