Tier 2 per SECURITY.md — a compatibility-affecting change; needs maintainer approval before merge. Surfaced by the security review behind #39.
Problem
Configuration accepts http as a valid baseUrl scheme (ALLOWED_SCHEMES = {"http", "https"}, Configuration.java:24), and HttpTransport.buildHttpRequest attaches Authorization: Bearer <token> to every request unconditionally (HttpTransport.java:406-408) regardless of scheme.
If an operator sets MARKETDATA_BASE_URL=http://… (env, .env, or the 4-arg constructor), construction succeeds silently and startup validation + every subsequent call send the API token over cleartext to any on-path observer. Undermines the "TLS validated by default" invariant.
Trigger: operator misconfiguration only — the default is https, so no third party can force this. Not remotely exploitable against a default user; it's a foot-gun to close.
Proposed fix (needs approval — Tier 2)
Reject http at construction (https-only), or at minimum refuse to attach the Authorization header over a cleartext connection and emit a WARNING.
Why Tier 2
Rejecting http tightens validation and would break any consumer currently pointing at an http origin (e.g. a local test proxy). Needs a deliberate call + possibly a documented escape hatch.
Tier 2 per
SECURITY.md— a compatibility-affecting change; needs maintainer approval before merge. Surfaced by the security review behind #39.Problem
Configurationacceptshttpas a validbaseUrlscheme (ALLOWED_SCHEMES = {"http", "https"},Configuration.java:24), andHttpTransport.buildHttpRequestattachesAuthorization: Bearer <token>to every request unconditionally (HttpTransport.java:406-408) regardless of scheme.If an operator sets
MARKETDATA_BASE_URL=http://…(env,.env, or the 4-arg constructor), construction succeeds silently and startup validation + every subsequent call send the API token over cleartext to any on-path observer. Undermines the "TLS validated by default" invariant.Trigger: operator misconfiguration only — the default is
https, so no third party can force this. Not remotely exploitable against a default user; it's a foot-gun to close.Proposed fix (needs approval — Tier 2)
Reject
httpat construction (https-only), or at minimum refuse to attach theAuthorizationheader over a cleartext connection and emit a WARNING.Why Tier 2
Rejecting
httptightens validation and would break any consumer currently pointing at anhttporigin (e.g. a local test proxy). Needs a deliberate call + possibly a documented escape hatch.