Using clear-text protocols exposes data in transit to eavesdropping and man-in-the-middle attacks.

Why is this an issue?

An attacker who can observe network traffic — for example through a compromised network device, a position on the same network segment, or a cloud environment breach — can read, modify, or inject data sent over ftp, telnet, http, or unencrypted SMTP without detection. This is true even on internal or isolated networks, where insider threats or lateral movement after an initial compromise can expose unencrypted traffic. This rule raises an issue when a clear-text protocol scheme is used or when encryption is explicitly disabled for a network connection.

What is the potential impact?

Sensitive data exposure

An attacker who can intercept network traffic can read all data transmitted over clear-text connections, including credentials, session tokens, API keys, or personal data.

Data tampering

Because clear-text protocols provide no integrity protection, an attacker in a man-in-the-middle position can silently modify data in transit — redirecting users to malicious endpoints, injecting malicious content into responses, or altering commands sent to remote services.

How to fix it in Node.js

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

url = "http://example.com"; // Noncompliant
url = "ftp://anonymous@example.com"; // Noncompliant
url = "telnet://anonymous@example.com"; // Noncompliant

For nodemailer:

const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
  secure: false, // Noncompliant
  requireTLS: false // Noncompliant
});

Compliant solution

url = "https://example.com";
url = "sftp://anonymous@example.com";
url = "ssh://anonymous@example.com";

For nodemailer one of the following options must be set:

const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
  secure: true,
  requireTLS: true
});

How to fix it in AWS Elastic Load Balancing

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

For aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer:

import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';

const alb = new ApplicationLoadBalancer(this, 'ALB', {
  vpc: vpc,
  internetFacing: true
});

alb.addListener('listener-http-default', {
  port: 8080,
  open: true
}); // Noncompliant

alb.addListener('listener-http-explicit', {
  protocol: ApplicationProtocol.HTTP, // Noncompliant
  port: 8080,
  open: true
});

Compliant solution

For aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer:

import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';

const alb = new ApplicationLoadBalancer(this, 'ALB', {
  vpc: vpc,
  internetFacing: true
});

alb.addListener('listener-https-explicit', {
  protocol: ApplicationProtocol.HTTPS,
  port: 8080,
  open: true,
  certificates: [certificate]
});

alb.addListener('listener-https-implicit', {
  port: 8080,
  open: true,
  certificates: [certificate]
});

How to fix it in Amazon ElastiCache

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

For aws-cdk-lib.aws-elasticache.CfnReplicationGroup:

import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache';

new CfnReplicationGroup(this, 'example-implicit', {
  replicationGroupDescription: 'exampleDescription'
}); // Noncompliant

new CfnReplicationGroup(this, 'example-explicit', {
  replicationGroupDescription: 'exampleDescription',
  transitEncryptionEnabled: false // Noncompliant
});

Compliant solution

import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache';

new CfnReplicationGroup(this, 'example-explicit', {
  replicationGroupDescription: 'example',
  transitEncryptionEnabled: true
});

How to fix it in AWS Kinesis

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

For aws-cdk-lib.aws-kinesis.CfnStream:

import { CfnStream } from 'aws-cdk-lib/aws-kinesis';

new CfnStream(this, 'example-cfnstream-implicit', undefined); // Noncompliant

new CfnStream(this, 'example-cfnstream-explicit', {
  streamEncryption: undefined // Noncompliant
});

For aws-cdk-lib.aws-kinesis.Stream:

import { Stream } from 'aws-cdk-lib/aws-kinesis';

new Stream(this, 'example-stream', {
  encryption: StreamEncryption.UNENCRYPTED // Noncompliant
});

Compliant solution

import { CfnStream } from 'aws-cdk-lib/aws-kinesis';

new CfnStream(this, 'example-cfnstream-explicit', {
  streamEncryption: {
    encryptionType: encryptionType,
    keyId: encryptionKey.keyId,
  }
});

import { Stream } from 'aws-cdk-lib/aws-kinesis';

new Stream(this, 'example-stream');

new Stream(this, 'example-stream-selfmanaged', {
  encryption: StreamEncryption.KMS,
  encryptionKey: encryptionKey,
});

new Stream(this, 'example-stream-managed', {
  encryption: StreamEncryption.MANAGED
});

Exceptions

No issue is reported for the following cases:

• URLs whose host resolves only within a private runtime environment and is not reachable from the public internet (including loopback and cloud metadata hosts)
• Well-known namespace URI authorities used in in XML, JSON-LD, RDF, or similar formats (for example, www.w3.org, schemas.android.com, schema.org).
• IANA-reserved documentation and test domains like example.com, example.net, example.org (RFC 6761). These are almost always placeholders in source code, not real connection targets.

Resources

Documentation

• AWS Documentation - Listeners for your Application Load Balancers
• AWS Documentation - Stream Encryption

Articles & blog posts

• Google - Moving towards more secure web
• Mozilla - Deprecating non secure http

Standards

• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP - Top 10 2021 Category A2 - Cryptographic Failures
• CWE - CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
• CWE - CWE-319 - Cleartext Transmission of Sensitive Information
• STIG Viewer - Application Security and Development: V-222397 - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
• STIG Viewer - Application Security and Development: V-222534 - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
• STIG Viewer - Application Security and Development: V-222562 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222563 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222577 - The application must not expose session IDs.
• STIG Viewer - Application Security and Development: V-222596 - The application must protect the confidentiality and integrity of transmitted information.
• STIG Viewer - Application Security and Development: V-222597 - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
• STIG Viewer - Application Security and Development: V-222598 - The application must maintain the confidentiality and integrity of information during preparation for transmission.
• STIG Viewer - Application Security and Development: V-222599 - The application must maintain the confidentiality and integrity of information during reception.