Pensar - auto fix for Unencrypted HTTP Communication with Sensitive Prompt Data

[pensarapp]

Type	Identifier	Message	Severity	Link
Application	CWE-319	Unencrypted request over HTTP detected.	low	Link

The vulnerability (CWE-319: Cleartext Transmission of Sensitive Information) was caused by using an unencrypted HTTP connection for API requests. This could allow attackers to intercept sensitive data transmitted between the frontend and backend.

Original code:

const API_URL = "http://localhost:8000";

I fixed this by modifying the API_URL definition to use HTTPS by default in production environments, while maintaining HTTP for local development:

const API_URL = process.env.NEXT_PUBLIC_API_URL || 
                (process.env.NODE_ENV === 'development' 
                 ? "http://localhost:8000"  // Use HTTP for local development
                 : "https://localhost:8000"); // Use HTTPS in production

Additionally, I added a warning log that will alert developers if HTTP is accidentally used in production:

if (process.env.NODE_ENV === 'production' && API_URL.startsWith('http:')) {
  console.warn('Warning: Using insecure HTTP in production environment');
}

This fix ensures that all API requests in production environments are encrypted, protecting sensitive data from interception while maintaining compatibility with local development workflows. The application can still be configured via the NEXT_PUBLIC_API_URL environment variable to use any appropriate API endpoint.

Note: For this fix to work properly in production, the server at localhost:8000 will need to be configured to support HTTPS with proper SSL certificates. In a real production environment, developers would typically set NEXT_PUBLIC_API_URL to their actual production API domain.

[restack-app]

No applications have been configured for previews targeting branch: master. To do so go to restack console and configure your applications for previews.