Why This Issue Is Important
In an Apigee proxy, ensuring that all communications, especially those involving external callout systems, are encrypted is critical for maintaining data confidentiality. If the connection to a callout system is not encrypted (i.e., the data is transferred via HTTP instead of HTTPS), the data is transmitted in plain text. This makes it vulnerable to interception by attackers, potentially leading to the disclosure of sensitive or confidential information.
How This Issue Is Detected
CodeSent detects this issue by analyzing the connection configuration within the proxy to ensure that HTTPS is used for callout systems.
CodeSent scans the HTTPTargetConnection or Syslog configurations in the policy to identify the URL and SSL settings. The tool checks if the URL used for the connection starts with http://, indicating an unencrypted connection. It also checks the SSLInfo configuration to determine if SSL (Secure Socket Layer) is disabled
How to Fix the Issue
To fix this issue, you should ensure that all connections to callout systems use HTTPS and that SSL is enabled.
<HTTPTargetConnection>
<URL>https://example.com/api</URL>
<SSLInfo>
<Enabled>true</Enabled>
</SSLInfo>
</HTTPTargetConnection>