Skip to main content

no-insecure-url

Disallow insecure URL protocols in application code.

Targeted pattern scopeโ€‹

This rule targets insecure URL patterns such as:

  • http://...
  • ftp://...
  • configurable blocklisted patterns defined in rule options.

What this rule reportsโ€‹

This rule reports string literals and option-matched values that use insecure or explicitly blocked URL schemes.

Why this rule existsโ€‹

Unencrypted transports can expose credentials, tokens, and sensitive payloads to interception or tampering.

โŒ Incorrectโ€‹

const endpoint = "http://api.example.com/v1/data";

โœ… Correctโ€‹

const endpoint = "https://api.example.com/v1/data";

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-insecure-url": [
"error",
{
blocklist: ["^(http|ftp):\\/\\/"],
exceptions: ["^http:\\/\\/schemas\\.microsoft\\.com\\/?.*"],
varExceptions: ["insecure?.*"],
},
],
},
},
];

When not to use itโ€‹

Disable only when scanning datasets or tests that intentionally include insecure URLs.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R021