no-http-request-to-insecure-protocol
Disallow application HTTP client calls that use insecure http:// endpoints.
Targeted pattern scopeโ
Network client calls to insecure http:// endpoints.
What this rule reportsโ
http/https/fetch calls whose URL literal starts with http://.
Why this rule existsโ
Unencrypted HTTP can expose credentials, tokens, and payload integrity to active network attackers.
โ Incorrectโ
http.get("http://api.example.com/status");
โ Correctโ
https.get("https://api.example.com/status");
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-http-request-to-insecure-protocol": "error",
},
},
];
When not to use itโ
Disable only for local development or legacy endpoints that are explicitly non-production and otherwise protected.
Package documentationโ
Further readingโ
Rule catalog ID: R040