Global schemes use 'http' protocol instead of 'https'
Description
This policy is checking to ensure that global schemes in the API are using 'https' protocol instead of 'http'. 'Http' protocol is insecure as it does not encrypt the data being transferred, making it susceptible to interception by malicious third parties. On the other hand, 'https' ensures that the communication between the client and the server is encrypted, hence providing a secure connection. If an API is using 'http', it poses a security threat as confidential data transferred can be easily intercepted and misused. Ensuring that global schemes use 'https' protocol hence provides an important safeguard for sensitive data.
Code Example
swagger: '2.0'
info:
version: 1.0.0
title: Simple API
schemes:
- httpsRemediation
OpenAPI
To fix the issue, you need to change the schemes from 'http' to 'https'. You should update the `schemes` field in the OpenAPI document to only include 'https' and remove 'http'.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1274 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_18 |