no-http-request-to-insecure-protocol

Disallow application HTTP client calls that use insecure http:// endpoints.

Targeted pattern scope

Network client calls to insecure http:// endpoints.

What this rule reports

http/https/fetch calls whose URL literal starts with http://.

Why this rule exists

Unencrypted HTTP can expose credentials, tokens, and payload integrity to active network attackers.

❌ Incorrect

http.get("http://api.example.com/status");

✅ Correct

https.get("https://api.example.com/status");

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-http-request-to-insecure-protocol": "error",
  },
 },
];

When not to use it

Disable only for local development or legacy endpoints that are explicitly non-production and otherwise protected.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​