org.sonar.l10n.py.rules.python.S3752.html Maven / Gradle / Ivy
An HTTP method is safe when used to perform a read-only operation, such as retrieving information. In contrast, an unsafe HTTP method is used to
change the state of an application, for instance to update a user’s profile on a web application.
Common safe HTTP methods are GET, HEAD, or OPTIONS.
Common unsafe HTTP methods are POST, PUT and DELETE.
Allowing both safe and unsafe HTTP methods to perform a specific operation on a web application could impact its security, for example CSRF
protections are most of the time only protecting operations performed by unsafe HTTP methods.
Ask Yourself Whether
- HTTP methods are not defined at all for a route/controller of the application.
- Safe HTTP methods are defined and used for a route/controller that can change the state of an application.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
For all the routes/controllers of an application, the authorized HTTP methods should be explicitly defined and safe HTTP methods should only be
used to perform read-only operations.
Sensitive Code Example
For Django:
# No method restriction
def view(request): # Sensitive
return HttpResponse("...")
@require_http_methods(["GET", "POST"]) # Sensitive
def view(request):
return HttpResponse("...")
For Flask:
@methods.route('/sensitive', methods=['GET', 'POST']) # Sensitive
def view():
return Response("...", 200)
Compliant Solution
For Django:
@require_http_methods(["POST"])
def view(request):
return HttpResponse("...")
@require_POST
def view(request):
return HttpResponse("...")
@require_GET
def view(request):
return HttpResponse("...")
@require_safe
def view(request):
return HttpResponse("...")
For Flask:
@methods.route('/compliant1')
def view():
return Response("...", 200)
@methods.route('/compliant2', methods=['GET'])
def view():
return Response("...", 200)
See
- OWASP - Top 10 2021 Category A1 - Broken Access Control
- OWASP - Top 10 2021 Category A4 - Insecure Design
- OWASP - Top 10 2017 Category A5 - Broken Access Control
- CWE - CWE-352 - Cross-Site Request Forgery (CSRF)
- OWASP: Cross-Site Request Forgery
- Django - Allowed HTTP Methods
- Flask - HTTP Methods