include::../description.adoc[]

== Ask Yourself Whether

* Application data needs to be protected against tampering or leaks when transiting over the network.
* Application data transits over an untrusted network.
* Compliance rules require the service to encrypt data in transit.
* OS-level protections against clear-text traffic are deactivated.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols:
** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``.
** Use ``++https++`` instead of ``++http++``.


It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system.


== Sensitive Code Example

[source,docker]
----
RUN curl http://www.example.com/
----

== Compliant Solution

[source,docker]
----
RUN curl https://www.example.com/
----

== See

* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor
* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information
* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web]
* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

== Message

* Make sure that using clear-text protocols is safe here.

== Highlighting

Highlight the URL.

'''

endif::env-github,rspecator-view[]