rspec/rules/S4423/javascript/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

``++secureProtocol++``, ``++minVersion++``/``++maxVersion++`` and ``++secureOptions++`` should not be set to use weak TLS protocols (TLSv1.1 and lower):

[source,javascript]
----
let options = {
  secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure
};

let options = {
  minVersion: 'TLSv1.1',  // Noncompliant: TLS1.1 is insecure
  maxVersion: 'TLSv1.2' 
};

let options = {
  secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled
----

https://nodejs.org/api/https.html[https] built-in module:

[source,javascript]
----
let req = https.request(options, (res) => {
  res.on('data', (d) => {
    process.stdout.write(d);
  });
});  // Noncompliant
----

https://nodejs.org/api/tls.html[tls] built-in module:

[source,javascript]
----
let socket = tls.connect(443, "www.example.com", options, () => { });  // Noncompliant
----

https://www.npmjs.com/package/request[request] module:

[source,javascript]
----
let socket = request.get(options);
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.DomainName.html[aws-cdk-lib.aws_apigateway.DomainName]:

[source,javascript]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';

new agw.DomainName(this, 'Example', {
    certificate: certificate,
    domainName: domainName,
    securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant
});
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html[aws-cdk-lib.aws_opensearchservice.Domain]:

[source,javascript]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';

new os.CfnDomain(this, 'Example', {
  domainEndpointOptions: {
    enforceHttps: true,
  },
}); // NonCompliant by default
----

== Compliant Solution

Set either ``++secureProtocol++`` or ``++secureOptions++`` or ``++minVersion++`` to use secure protocols only (TLSv1.2 and higher):

[source,javascript]
----
let options = {
  secureProtocol: 'TLSv1_2_method'
};
// or
let options = {
  secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
};
// or
let options = {
    minVersion: 'TLSv1.2'
};
----

https://nodejs.org/api/https.html[https] built-in module:

[source,javascript]
----
let req = https.request(options, (res) => {
  res.on('data', (d) => {
    process.stdout.write(d);
  });
});
----


https://nodejs.org/api/tls.html[tls] built-in module:

[source,javascript]
----
let socket = tls.connect(443, "www.example.com", options, () => { }); 
----

https://www.npmjs.com/package/request[request] module:

[source,javascript]
----
let socket = request.get(options);
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.DomainName.html[aws-cdk-lib.aws_apigateway.DomainName]:

[source,javascript]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';

new agw.DomainName(this, 'Example', {
    certificate: certificate,
    domainName: domainName,
    securityPolicy: agw.SecurityPolicy.TLS_1_2,
});
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html[aws-cdk-lib.aws_opensearchservice.Domain]:

[source,javascript]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';

new os.CfnDomain(this, 'Example', {
  domainEndpointOptions: {
    enforceHttps: true,
    tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',
  },
});
----

include::../see.adoc[]
* https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html[Amazon API Gateway] - Choosing a minimum TLS version

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]