Cleartext transmission of sensitive information

Description

The application was found setting `force_ssl` to `false`. This setting can expose the application to the risk of network interception of unencrypted traffic. Enabling `force_ssl` by setting `config.force_ssl = true` in the application's configuration, specifically within `config/environments/production.rb`, forces the use of HTTPS, encrypting data in transit and safeguarding against eavesdropping or data tampering.

Examples

Insecure Code

ruby

config.force_ssl = false

Secure Code

ruby

config.force_ssl = true

Remediation

Set `config.force_ssl` to `true` in the application's configuration.

Rule Details

Field	Value
ID	CODE-0552
Category	InsecureConfig
Severity	MEDIUM
CWE	CWE-319
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	ssl, https, encryption
OWASP	A3:2017-Sensitive Data Exposure, A04:2021-Insecure Design

References

https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/force-ssl-false.yaml

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Cleartext transmission of sensitive information

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Cleartext transmission of sensitive information ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Cleartext transmission of sensitive information

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References