CodeSent Rules - Comprehensive API Security & Static Analysis

Target BasicAuthentication JavaScript Proxy

Name	Scopes	Tags	Links
Critical
Connection to the system is not encrypted	ServiceCallout MessageLogging Target	Data in Transit	CWE-319
Lack of certificate validation	ServiceCallout MessageLogging Target	Data in Transit	CWE-295
High
API Key is not removed before the request is sent to target system	Proxy	Data in Transit	CWE-201
Authorization header is not removed before the request is sent to target system	Proxy	Data in Transit	CWE-201
No TLS protocol specified in connection definition	ServiceCallout MessageLogging Target	Data in Transit	CWE-327
Proxy doesn't have default flow	Proxy	Code Quality Data Validation	CWE-20
Use of weak hash algorithms	AssignMessage HMAC JavaScript	Secure Configuration	CWE-327
Medium
Lack of DefaultFaultRule	Target Proxy	Error Handling	CWE-390
MatchesPath is applied to a static parameter	Target Proxy	Code Quality Data Validation	CWE-20
No SpikeArrest policy is applied	Proxy	Code Quality DoS Protection	CWE-770
Unreachable FaultRule	Target Proxy	Code Quality	CWE-561
Unreachable Flow	Target Proxy	Code Quality	CWE-561
Unreachable RouteRule	Proxy	Code Quality	CWE-561
Low
Missing security headers	Proxy	Secure Configuration	CWE-523
No mask configuration for the proxy	Proxy	Code Quality
Info
Missing API versioning	Proxy	Secure Configuration	CWE-710
Policy is not linked to step	Proxy	Code Quality	CWE-561
Resource is not linked to a policy	Proxy	Code Quality	CWE-561