Skip to content

Tier 2: reject http:// base URL to prevent cleartext token transmission #40

Description

@MarketDataApp

Tier 2 per SECURITY.md — a compatibility-affecting change; needs maintainer approval before merge. Surfaced by the security review behind #39.

Problem

Configuration accepts http as a valid baseUrl scheme (ALLOWED_SCHEMES = {"http", "https"}, Configuration.java:24), and HttpTransport.buildHttpRequest attaches Authorization: Bearer <token> to every request unconditionally (HttpTransport.java:406-408) regardless of scheme.

If an operator sets MARKETDATA_BASE_URL=http://… (env, .env, or the 4-arg constructor), construction succeeds silently and startup validation + every subsequent call send the API token over cleartext to any on-path observer. Undermines the "TLS validated by default" invariant.

Trigger: operator misconfiguration only — the default is https, so no third party can force this. Not remotely exploitable against a default user; it's a foot-gun to close.

Proposed fix (needs approval — Tier 2)

Reject http at construction (https-only), or at minimum refuse to attach the Authorization header over a cleartext connection and emit a WARNING.

Why Tier 2

Rejecting http tightens validation and would break any consumer currently pointing at an http origin (e.g. a local test proxy). Needs a deliberate call + possibly a documented escape hatch.

Metadata

Metadata

Labels

enhancementNew feature or requestsecuritySecurity hardening or vulnerability

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions