‘requireSSL’ attribute is not set to true¶
ID: cs/web/requiressl-not-set Kind: problem Security severity: 7.5 Severity: error Precision: high Tags: - security - external/cwe/cwe-319 - external/cwe/cwe-614 Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls Click to see the query in the CodeQL repository
Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default, web forms and cookies are sent via HTTP, not HTTPS. This setting can be changed by setting the requireSSL attribute to "true" in Web.config.
Recommendation¶
When using web forms, ensure that Web.config contains a <forms> element with the attribute requireSSL="true".
When using cookies, ensure that SSL is used, either via the <forms> attribute above, or the <httpCookies> element, with the attribute requireSSL="true". It is also possible to require cookies to use SSL programmatically, by setting the property System.Web.HttpCookie.Secure to true.
Example¶
The following example shows where to specify requireSSL="true" in a Web.config file.
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <authentication> <forms requireSSL="true" ... /> </authentication> <httpCookies requireSSL="true" ... /> </system.web> </configuration> References¶
MSDN: HttpCookie.Secure Property, FormsAuthentication.RequireSSL Property, forms Element for authentication, httpCookies Element.
Common Weakness Enumeration: CWE-319.
Common Weakness Enumeration: CWE-614.
