Rule Information
Tags
pythonrequestshttpplaintextcleartext-transmissionCWE-319OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-060 --project .1
2
3
4
5
6
7
8
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
Using the requests library with http:// URLs transmits all request and response data in plaintext over TCP without TLS encryption. Authentication headers, session tokens, API keys, user data, and all other HTTP content are visible to network observers and MITM attackers.
The requests library makes HTTPS requests trivially easy — simply use https:// in the URL. The library handles TLS certificate verification by default. There is rarely a legitimate reason to use http:// URLs in production application code, except for localhost health checks or explicitly non-sensitive endpoints.
This rule audits requests.get(), requests.post(), requests.put(), requests.patch(), requests.delete(), requests.head(), and requests.Session() calls to flag HTTP URLs.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
API Key and Token Interception
API keys, OAuth tokens, and authentication headers transmitted in HTTP requests are visible in plaintext to anyone on the network path, enabling immediate credential theft and unauthorized API access.
2
Sensitive Data Exposure
Request bodies, query parameters, and response data containing user information, financial data, health records, or other sensitive content are exposed to network observers without TLS encryption.
3
HTTP Response Tampering
Without TLS, responses can be modified in transit. An attacker can inject malicious content, alter API responses to change application behavior, or redirect to malicious endpoints by manipulating redirect responses.
4
Mixed Content and Redirect Downgrade
Applications that start with HTTPS but follow redirects to HTTP URLs can be downgraded to HTTP mid-session. The requests library follows redirects by default, potentially following a redirect from https:// to http:// and exposing session credentials.
How to Fix
Recommended remediation steps
- 1Replace all http:// URLs with https:// URLs in requests calls.
- 2Use HTTPS for all API endpoints, even internal service-to-service communication.
- 3Set a base URL with HTTPS in requests.Session() and use relative paths to prevent accidentally mixing HTTP and HTTPS.
- 4Configure HSTS on your servers so clients are redirected to HTTPS even if they accidentally use HTTP URLs.
- 5Add URL validation in your application that rejects or upgrades HTTP URLs to HTTPS before making requests.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to requests.get(), requests.post(), requests.put(), requests.delete(), requests.patch(), requests.head(), requests.options(), and requests.request() where the URL argument starts with "http://" (not "https://"). This covers both literal HTTP URLs and variable URLs that can be determined to use HTTP by taint analysis.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
PCI DSS v4.0
Requirement 4.2.1 - Use strong cryptography for cardholder data transmission
OWASP Top 10
A02:2021 - Cryptographic Failures
HIPAA Security Rule
45 CFR 164.312(e) - Technical safeguards for data in transit
GDPR Article 32
Appropriate technical measures including encryption of personal data in transit
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Certificate Validation Disabled (verify=False)
TLS certificate validation is explicitly disabled via verify=False or CERT_NONE, making connections vulnerable to man-in-the-middle attacks.
MEDIUM
Insecure HTTP Connection via http.client
http.client.HTTPConnection transmits data in plaintext without encryption. Use HTTPSConnection for sensitive communications.
MEDIUM
Insecure urllib.request.urlopen() Usage
urllib.request.urlopen() over HTTP transmits data in plaintext. Verify HTTPS URLs are used and SSL context is properly configured.
Frequently Asked Questions
Common questions about HTTP Request Without TLS (requests library)
Very rarely. Legitimate exceptions include: connecting to localhost health check
endpoints that don't expose sensitive data, connecting to a local proxy that handles
TLS termination (though even then https:// is preferred), and testing HTTP redirect
behavior. Any http:// URL in production code should be explicitly documented with
the reason it cannot use HTTPS.
requests follows redirects by default (allow_redirects=True). If an HTTP URL redirects
to HTTPS, the library will follow the redirect. However, the initial HTTP request
including any headers sent with it is still transmitted in plaintext before the
redirect occurs. Always use the final HTTPS URL directly.
HSTS is a server-side security header that tells browsers to always use HTTPS for
a domain. The requests library does not implement HSTS by default, so server-side
HSTS does not prevent the Python client from making an initial HTTP request. Fix
the URL in the client code rather than relying on server-side HSTS.
Add URL validation to your HTTP client wrapper that raises an error or logs a warning
when an HTTP (non-HTTPS) URL is used. This can be implemented as a custom requests
Session subclass that overrides request() to validate URLs before making calls.
If the URL is read from an environment variable (os.environ.get("API_URL")), static
analysis cannot determine whether the URL uses HTTP or HTTPS at the call site.
Supplement static analysis with URL validation in the application code that rejects
or upgrades HTTP URLs at runtime.
Webhook receivers that accept incoming HTTP requests are different from outbound HTTP
requests. This rule covers outbound requests made by the Python application. Webhook
endpoints should be served over HTTPS to protect the webhook payload from interception.
New feature
Get these findings posted directly on your GitHub pull requests
The HTTP Request Without TLS (requests library) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.