Sending HTTP requests is security-sensitive. It has led in the past to the following vulnerabilities:

An HTTP request has different kinds of vulnerabilities:

This rule flags code that initiates an HTTP request. The goal is to guide security code reviews.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Questionable Code Example

// === Built-in NodeJS modules ===
const http = require('http');
http.request(url, (res) => {}); // Questionable
http.get(url, (res) => {}); // Questionable

const https = require('https');
https.request(url, (res) => {}); // Questionable
https.get(url, (res) => {}); // Questionable
// === Request NodeJS module ===
const request = require('request');
// All Request methods making HTTP requests are security-sensitive and should be reviewed.
// Examples:
request(url, function (error, res, body) {}); // Questionable
request.get(url); // Questionable
// === Axios module ===
const axios = require('axios');
// All Axios methods making HTTP requests are security-sensitive and should be reviewed.
// Example:
axios.get(url) // Questionable
  .then(function (res) {});
// === In browser, XMLHttpRequest ===
var xmlhttp = null;
if (window.XMLHttpRequest) {
  xmlhttp = new XMLHttpRequest(); // modern browsers
} else {
  xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); // very old IE browsers
}
xmlhttp.onreadystatechange = function() {};
xmlhttp.open("GET", url, false); // Questionable
xmlhttp.send();
// === In modern browsers, Fetch API ===
window.fetch(url) // Questionable
  .then(function(res) {});
// === In old IE browsers, XDomainRequest ===
var xdr = new XDomainRequest();
xdr.open("GET", url);
xdr.send();
// === In browser, jQuery ===
// All jQuery methods making HTTP requests are security-sensitive and should be reviewed.
// Examples:
$.ajax({ url: url }) // Questionable
  .done(function(data) {});
$.get(url, function(data) {}); // Questionable

See