‘requireSSL’ attribute is not set to true¶
ID: cs/web/requiressl-not-set
Kind: problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-319
- external/cwe/cwe-614
Query suites:
- csharp-code-scanning.qls
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default, web forms and cookies are sent via HTTP, not HTTPS. This setting can be changed by setting the requireSSL attribute to "true" in Web.config.
Recommendation¶
When using web forms, ensure that Web.config contains a <forms> element with the attribute requireSSL="true".
When using cookies, ensure that SSL is used, either via the <forms> attribute above, or the <httpCookies> element, with the attribute requireSSL="true". It is also possible to require cookies to use SSL programmatically, by setting the property System.Web.HttpCookie.Secure to true.
Example¶
The following example shows where to specify requireSSL="true" in a Web.config file.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication>
<forms
requireSSL="true"
... />
</authentication>
<httpCookies
requireSSL="true"
... />
</system.web>
</configuration>
References¶
MSDN: HttpCookie.Secure Property, FormsAuthentication.RequireSSL Property, forms Element for authentication, httpCookies Element.
Common Weakness Enumeration: CWE-319.
Common Weakness Enumeration: CWE-614.