CodeSent Rules - Comprehensive API Security & Static Analysis

ServiceCallout Flow BasicAuthentication Proxy

Name	Severity	Scopes	Tags	Links
Connection to the system is not encrypted	Critical	ServiceCallout MessageLogging Target	Data in Transit	CWE-319
Lack of certificate validation	Critical	ServiceCallout MessageLogging Target	Data in Transit	CWE-295
API Key is not removed before the request is sent to target system	High	Proxy	Data in Transit	CWE-201
Authorization header is not removed before the request is sent to target system	High	Proxy	Data in Transit	CWE-201
Flow accepts confidential data as URL parameters	High	Flow PreFlow	Data in Transit	CWE-598
JSONThreatProtection policy is not applied to a request body with JSON type	High	Flow	Data Validation	CWE-502 CWE-20
No TLS protocol specified in connection definition	High	ServiceCallout MessageLogging Target	Data in Transit	CWE-327
Proxy doesn't have default flow	High	Proxy	Code Quality Data Validation	CWE-20
Condition has undefined variables	Medium	Step RouteRule Flow	Code Quality	CWE-570 CWE-571
Flow accepts requests with any method	Medium	Flow	Data Validation	CWE-749
Flow doesn't limit HTTP methods correctly	Medium	Flow	Data Validation	CWE-749
Lack of DefaultFaultRule	Medium	Target Proxy	Error Handling	CWE-390
MatchesPath is applied to a static parameter	Medium	Target Proxy	Code Quality Data Validation	CWE-20
No SpikeArrest policy is applied	Medium	Proxy	Code Quality DoS Protection	CWE-770
ServiceCallout policy uses default message object as a request	Medium	ServiceCallout	Code Quality	CWE-200
ServiceCallout policy uses default message object as a response	Medium	ServiceCallout	Code Quality	CWE-200
Unreachable FaultRule	Medium	Target Proxy	Code Quality	CWE-561
Unreachable Flow	Medium	Target Proxy	Code Quality	CWE-561
Unreachable RouteRule	Medium	Proxy	Code Quality	CWE-561
Missing security headers	Low	Proxy	Secure Configuration	CWE-523