ea81fee645
Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com>
70 lines
1.6 KiB
Plaintext
70 lines
1.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* Application data needs to be protected against tampering or leaks when transiting over the network.
|
|
* Application data transits over an untrusted network.
|
|
* Compliance rules require the service to encrypt data in transit.
|
|
* OS-level protections against clear-text traffic are deactivated.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols:
|
|
** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``.
|
|
** Use ``++https++`` instead of ``++http++``.
|
|
|
|
It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system.
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,yaml]
|
|
----
|
|
- name: HTTP request
|
|
hosts: all
|
|
tasks:
|
|
- name: Noncompliant
|
|
uri:
|
|
url: http://example.com # Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,yaml]
|
|
----
|
|
- name: HTTPS request
|
|
hosts: all
|
|
tasks:
|
|
- name: Noncompliant
|
|
uri:
|
|
url: https://example.com
|
|
----
|
|
|
|
== See
|
|
|
|
include::../common/resources/documentation.adoc[]
|
|
|
|
include::../common/resources/articles.adoc[]
|
|
|
|
include::../common/resources/standards-iac.adoc[]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
== Message
|
|
|
|
* Make sure that using clear-text protocols is safe here.
|
|
|
|
== Highlighting
|
|
|
|
Highlight the URL.
|
|
|
|
'''
|
|
|
|
endif::env-github,rspecator-view[]
|