no-http-urls
This rule disallow hardcoded http urls (require https).
Disallow hardcoded HTTP URLs (require HTTPS)
Rule Details
This rule disallow hardcoded http urls (require https).
OWASP Mobile Top 10: M5
CWE: CWE-319
Severity: error
Examples
❌ Incorrect
const apiUrl = 'http://api.example.com/data'
fetch('http://insecure.example.com/api')✅ Correct
const apiUrl = 'https://api.example.com/data'
fetch('https://secure.example.com/api')
const devUrl = 'http://localhost:3000'When Not To Use It
This rule should be enabled for all mobile and web applications to ensure security best practices.
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
Related Rules
- See other mobile security rules in this plugin
Category: Mobile Security
Type: Problem
Recommended: Yes
no-hardcoded-session-tokens
The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:
no-improper-sanitization
Detects improper sanitization of user input. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).