Cleartext Transmission of Sensitive Information
Description
The application can load content over HTTP, making it vulnerable to Man-in-the-Middle attacks.
Examples
Insecure Code
javascript
new BrowserWindow({webPreferences: {allowRunningInsecureContent: true}})Secure Code
javascript
new BrowserWindow({webPreferences: {allowRunningInsecureContent: false}})Remediation
Set the 'allowRunningInsecureContent' property to 'false' in the BrowserWindow web preferences to prevent loading content over HTTP.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0367 |
| Category | InsecureConfig |
| Severity | CRITICAL |
| CWE | CWE-319 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | Man-in-the-Middle, HTTP |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |