Cleartext HTTP used in Spring RestTemplate
Description
Data transmitted over HTTP is unencrypted, which can lead to man-in-the-middle attacks and exposure of sensitive information. To ensure confidentiality, it is recommended to use HTTPS instead of HTTP.
Examples
Insecure Code
java
RestTemplate restTemplate = new RestTemplate(); restTemplate.getForObject("http://example.com", String.class);Secure Code
java
RestTemplate restTemplate = new RestTemplate(); restTemplate.getForObject("https://example.com", String.class);Remediation
Replace HTTP with HTTPS in the RestTemplate URL to ensure encrypted communication.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0461 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-319 |
| Confidence | MEDIUM |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | RestTemplate, HTTPS |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |
References
- https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-
- https://www.baeldung.com/rest-template