Connection to the system is not encrypted

Severity
Critical 
Tags
Data in Transit 
Applies to
ServiceCallout MessageLogging Target 
Links
CWE-319
Why This Issue Is ImportantHow This Issue Is DetectedHow to Fix the Issue

Why This Issue Is Important

In an Apigee proxy, ensuring that all communications, especially those involving external callout systems, are encrypted is critical for maintaining data confidentiality. If the connection to a callout system is not encrypted (i.e., the data is transferred via HTTP instead of HTTPS), the data is transmitted in plain text. This makes it vulnerable to interception by attackers, potentially leading to the disclosure of sensitive or confidential information.

How This Issue Is Detected

CodeSent detects this issue by analyzing the connection configuration within the proxy to ensure that HTTPS is used for callout systems.

CodeSent scans the HTTPTargetConnection or Syslog configurations in the policy to identify the URL and SSL settings. The tool checks if the URL used for the connection starts with http://, indicating an unencrypted connection. It also checks the SSLInfo configuration to determine if SSL (Secure Socket Layer) is disabled

How to Fix the Issue

To fix this issue, you should ensure that all connections to callout systems use HTTPS and that SSL is enabled.

<HTTPTargetConnection>
    <URL>https://example.com/api</URL>
    <SSLInfo>
        <Enabled>true</Enabled>
    </SSLInfo>
</HTTPTargetConnection>


Back to Rules