Skip to main content

no-http-request-to-insecure-protocol

Disallow application HTTP client calls that use insecure http:// endpoints.

Targeted pattern scopeโ€‹

Network client calls to insecure http:// endpoints.

What this rule reportsโ€‹

http/https/fetch calls whose URL literal starts with http://.

Why this rule existsโ€‹

Unencrypted HTTP can expose credentials, tokens, and payload integrity to active network attackers.

โŒ Incorrectโ€‹

http.get("http://api.example.com/status");

โœ… Correctโ€‹

https.get("https://api.example.com/status");

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },

rules: {
"sdl/no-http-request-to-insecure-protocol": "error",
},
},
];

When not to use itโ€‹

Disable only for local development or legacy endpoints that are explicitly non-production and otherwise protected.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R040