Rule Information
Tags
pythonhttp-clientplaintextcleartext-transmissionCWE-319OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-054 --project .1
2
3
4
5
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
http.client.HTTPConnection creates an unencrypted HTTP connection that transmits all data in plaintext. Any data sent over this connection including authentication tokens, session cookies, API keys, user data, and sensitive parameters can be intercepted by anyone on the network path between the client and server.
HTTP (without TLS) should not be used for any endpoint that transmits sensitive data. HTTPSConnection (http.client.HTTPSConnection) uses TLS to encrypt the connection, protecting data confidentiality and authenticating the server.
HTTPConnection is appropriate for: internal health check endpoints on localhost, connections to infrastructure components on a private, isolated network where TLS termination occurs at a load balancer, and specific protocol requirements. For all other use cases, HTTPSConnection or the requests library with HTTPS URLs should be used.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Credential Interception
Authentication headers (Basic auth, Bearer tokens, API keys), form credentials, and session cookies transmitted over HTTP are visible in plaintext to any observer on the network, including the ISP, corporate network monitoring, and MITM attackers.
2
Session Hijacking
HTTP cookies visible on the network allow session hijacking: an attacker who captures the session token can use it to authenticate as the victim without knowing the password.
3
Data Integrity Failure
HTTP provides no integrity protection. An attacker on the network path can inject, modify, or suppress HTTP traffic. Responses can be modified to serve malicious content, and requests can be altered to change transaction parameters.
4
Compliance Violations
Transmitting cardholder data (PCI DSS), health information (HIPAA), or personal data (GDPR) over unencrypted HTTP violates regulatory requirements and may result in significant fines and mandatory breach notifications.
How to Fix
Recommended remediation steps
- 1Replace http.client.HTTPConnection with http.client.HTTPSConnection for all external service calls.
- 2Use the requests library with https:// URLs as a higher-level, safer alternative to http.client.
- 3For internal service-to-service communication in containerized environments, use HTTPS even on private networks to protect against internal threats and lateral movement.
- 4If HTTP must be used for specific infrastructure reasons (health checks, load balancer endpoints), ensure sensitive data is never transmitted over these endpoints.
- 5Configure HSTS (HTTP Strict Transport Security) on servers to prevent clients from accidentally connecting over HTTP.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to http.client.HTTPConnection() and the equivalent httplib.HTTPConnection() (Python 2 compatibility) constructor. All call sites are flagged since plaintext HTTP is inappropriate for sensitive data transmission and requires review to confirm the use case is safe.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
PCI DSS v4.0
Requirement 4.2.1 - Use strong cryptography for cardholder data transmission
OWASP Top 10
A02:2021 - Cryptographic Failures
HIPAA Security Rule
45 CFR 164.312(e) - Technical safeguards for data in transit
GDPR Article 32
Appropriate technical measures including encryption of personal data in transit
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Unverified SSL Context Created
ssl._create_unverified_context() disables certificate verification entirely, making TLS connections vulnerable to man-in-the-middle attacks.
HIGH
Certificate Validation Disabled (verify=False)
TLS certificate validation is explicitly disabled via verify=False or CERT_NONE, making connections vulnerable to man-in-the-middle attacks.
MEDIUM
HTTP Request Without TLS (requests library)
HTTP URLs in requests calls transmit data in plaintext without encryption. Use HTTPS URLs for sensitive data transmission.
Frequently Asked Questions
Common questions about Insecure HTTP Connection via http.client
HTTP without TLS is risky even on internal networks. Compromised internal services,
lateral movement attacks, and network sniffing on internal subnets can all intercept
plaintext HTTP traffic. Use HTTPS with service mesh mTLS (Istio, Linkerd) or at
minimum HTTPS with internal CA certificates for service-to-service communication.
Health check endpoints on localhost (127.0.0.1) that do not transmit sensitive data
are generally acceptable over HTTP. If the health check endpoint returns information
about internal service configuration or secrets, use HTTPS even for localhost
connections.
No, both transmit data in plaintext over TCP without TLS. The security risk is
identical. The requests library is generally preferred for its simpler API, better
defaults, and built-in support for session management, retries, and certificate
verification.
Pass the context parameter: http.client.HTTPSConnection(host, context=ssl_ctx).
Use ssl.create_default_context() for the context object unless you have specific
requirements. This ensures certificate verification and hostname checking are enabled.
http.client.HTTPSConnection defaults to port 443 (HTTPS). http.client.HTTPConnection
defaults to port 80 (HTTP). Specify a custom port as the second argument if needed:
HTTPSConnection("api.example.com", 8443).
urllib.request.urlopen() on HTTP URLs uses http.client.HTTPConnection internally.
PYTHON-LANG-SEC-061 covers urllib.request.urlopen() with HTTP URLs specifically.
This rule targets direct http.client.HTTPConnection() constructor calls.
New feature
Get these findings posted directly on your GitHub pull requests
The Insecure HTTP Connection via http.client rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.