go.lang.security.audit.net.use-tls.use-tls

Community Favorite
profile photo of semgrepsemgrep
Author
105,843
Download Count*
LGPL Commons Clause
License

Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-tls
    pattern: http.ListenAndServe($ADDR, $HANDLER)
    fix: http.ListenAndServeTLS($ADDR, certFile, keyFile, $HANDLER)
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      references:
        - https://golang.org/pkg/net/http/#ListenAndServeTLS
      category: security
      technology:
        - go
      confidence: MEDIUM
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    message: Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead.
      See https://golang.org/pkg/net/http/#ListenAndServeTLS for more
      information.
    languages:
      - go
    severity: WARNING

Examples

use-tls.go

package main

import (
    "net/http"
    "fmt"
)

func Handler(w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Content-Type", "text/plain")
    w.write([]byte("Hello, world!"))
}

func main() {
    http.HandleFunc("/index", Handler)
    // ruleid: use-tls
    http.ListenAndServe(":80", nil)
}