Interlace ESLint
ESLint Interlace
Secure CodingRules

no-unencrypted-transmission

Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols). This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/

Keywords: unencrypted, CWE-319, security, ESLint rule, HTTP, HTTPS, encryption, TLS, SSL, data transmission, LLM-optimized, code security

Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols). This rule is part of eslint-plugin-secure-coding and provides LLM-optimized error messages that AI assistants can automatically fix.

💼 This rule is set to error by default in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-319 (Cleartext Transmission of Sensitive Information)
SeverityHIGH (security vulnerability)
Auto-Fix✅ Yes (replaces HTTP with HTTPS, WS with WSS, etc.)
CategorySecurity
ESLint MCP✅ Optimized for ESLint MCP integration
Best ForAll applications making network requests, APIs, database connections

Vulnerability and Risk

Vulnerability: Transmission of sensitive data over unencrypted protocols (HTTP) allows unauthorized parties to intercept or modify the data in transit.

Risk: Man-in-the-Middle (MitM) attacks can capture sensitive information like authentication tokens, passwords, or personal data. Attackers can also inject malicious content into the response.

Detection Flow

Why This Matters

IssueImpactSolution
🔒 Man-in-MiddleData intercepted in transitUse HTTPS/TLS
🔐 Data BreachSensitive data exposedEncrypt all transmissions
🍪 ComplianceViolates security standardsEnforce encrypted protocols
📊 Best PracticeAll external connections need TLSUse secure protocols

Detection Patterns

The rule detects:

  • HTTP URLs: http://, http://api.example.com
  • WebSocket (WS): ws://, ws://socket.example.com
  • MongoDB: mongodb:// (should use mongodb+srv://)
  • Redis: redis:// (should use rediss:// or TLS)
  • MySQL: mysql:// (should use SSL)

Examples

❌ Incorrect

// Unencrypted transmission
fetch('http://api.example.com/data'); // ❌ HTTP instead of HTTPS

const ws = new WebSocket('ws://socket.example.com'); // ❌ WS instead of WSS

const mongoUrl = 'mongodb://localhost:27017/db'; // ❌ MongoDB without encryption

const redisUrl = 'redis://localhost:6379'; // ❌ Redis without TLS

const mysqlUrl = 'mysql://user:pass@localhost/db'; // ❌ MySQL without SSL

✅ Correct

// Encrypted transmission
fetch('https://api.example.com/data'); // ✅ HTTPS

const ws = new WebSocket('wss://socket.example.com'); // ✅ WSS

const mongoUrl = 'mongodb+srv://cluster.mongodb.net/db'; // ✅ MongoDB with encryption

const redisUrl = 'rediss://localhost:6379'; // ✅ Redis with TLS

const mysqlUrl = 'mysql://user:pass@localhost/db?ssl=true'; // ✅ MySQL with SSL

// localhost is allowed in test files
fetch('http://localhost:3000/api'); // ✅ localhost in tests

Configuration

Default Configuration

{
  "secure-coding/no-unencrypted-transmission": "error"
}

Options

OptionTypeDefaultDescription
allowInTestsbooleanfalseAllow unencrypted in tests
insecureProtocolsstring[]['http', 'ws', ...]Insecure protocol patterns
secureAlternativesobject{http: 'https', ws: 'wss'}Mapping to secure alternatives
ignorePatternsstring[][]Additional patterns to ignore

Example Configuration

{
  "secure-coding/no-unencrypted-transmission": [
    "error",
    {
      "allowInTests": true,
      "insecureProtocols": ["http", "ws", "mongodb"],
      "secureAlternatives": {
        "http": "https",
        "ws": "wss",
        "mongodb": "mongodb+srv"
      },
      "ignorePatterns": ["localhost", "127.0.0.1"]
    }
  ]
}

Auto-Fix Behavior

The rule provides automatic fixes that:

  • ✅ Replace http:// with https://
  • ✅ Replace ws:// with wss://
  • ✅ Replace mongodb:// with mongodb+srv://
  • ✅ Replace redis:// with rediss://
  • ⚠️ Template literals require manual review (too risky for auto-fix)

Auto-Fix Example

// Before (triggers rule)
fetch('http://api.example.com/data');

// After (auto-fixed)
fetch('https://api.example.com/data');

Best Practices

  1. Always use HTTPS: For all external API calls
  2. Use WSS for WebSockets: Encrypt WebSocket connections
  3. Database encryption: Use TLS/SSL for database connections
  4. Environment variables: Store URLs in environment variables
  5. Test exceptions: Use allowInTests: true for localhost in tests

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Algorithm from Variable

Why: Algorithm names from variables not traced.

// ❌ NOT DETECTED - Algorithm from variable
const algo = config.hashAlgorithm; // May be weak
crypto.createHash(algo);

Mitigation: Hardcode secure algorithms.

Third-party Crypto Libraries

Why: Non-standard crypto APIs not recognized.

// ❌ NOT DETECTED - Third-party
customCrypto.encrypt(data, key);

Mitigation: Review all crypto implementations.

Configuration-based Security

Why: Config-driven security not analyzed.

// ❌ NOT DETECTED - Config-based
const options = getSecurityOptions(); // May be weak

Mitigation: Validate security configurations.

Resources

no-unchecked-loop-condition

Detects unchecked loop conditions that could cause DoS. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-

no-unescaped-url-parameter

Detects unescaped URL parameters that can lead to Cross-Site Scripting (XSS) or open redirect vulnerabilities. This rule is part of [`eslint-plugin-secure-codin

On this page

Quick SummaryVulnerability and RiskDetection FlowWhy This MattersDetection PatternsExamples❌ Incorrect✅ CorrectConfigurationDefault ConfigurationOptionsExample ConfigurationAuto-Fix BehaviorAuto-Fix ExampleBest PracticesKnown False NegativesAlgorithm from VariableThird-party Crypto LibrariesConfiguration-based SecurityRelated RulesResources