Insecure protocols such as HTTP or FTP should be replaced by their encrypted counterparts (HTTPS, FTPS) to avoid sending potentially sensitive data over untrusted networks in plaintext.
This rule comes with two default lists:
- blacklist - a RegEx list of insecure URL patterns.
- exceptions - a RegEx list of common false positive patterns. For example, HTTP URLs to XML schemas are usually allowed as they are used as identifiers, not for establishing actual network connections.
These lists can be overrided by providing options.
For example, providing these options... :
"@microsoft/sdl/no-insecure-url": ["error", {
"blocklist": ["^(http|ftp):\\/\\/", "^https:\\/\\/www\\.disallow-example\\.com"],
"exceptions": ["^http:\\/\\/schemas\\.microsoft\\.com\\/\\/?.*"]
}]
... overrides the internal blocklist, blocking the following URL patterns... :
http://
...ftp://
...https://www.disallow-example.com
... and also overrides the internal exceptions list, allowing the following URL patterns as exceptions.:
http://schemas.microsoft.com
http://schemas.microsoft.com/sharepoint
http://schemas.microsoft.com/path/subpath
- ...
URLs in neither the blocklist nor the exceptions list, are allowed:
telnet://
...ws://
...- ...
Note: The RegEx for the lists is provided within a string in a JSON. It is without delimiting slashes / /
and thus users cannot pass RegEx parameters. We make it case-insensitive after user input. Do not forget to escape characters:
let pureRegex = /^https:\/\/www\.disallow-example\.com/;
let regexInString = "^https:\\/\\/www\\.disallow-example\\.com";