HTTP transmits data in plaintext — any network intermediary, including ISP-level traffic inspection, corporate proxies, and shared Wi-Fi routers, can read or modify the payload. An extension that sends user data over HTTP instead of HTTPS exposes that data to passive interception and active man-in-the-middle attacks. CWE-319 (Cleartext Transmission of Sensitive Information) directly describes this failure. GDPR Art. 32 requires appropriate technical measures to ensure data security in transmission; HTTP is not an appropriate measure for any data linked to a user. OWASP 2021 A02 and NIST SP 800-53 SC-8 both require confidentiality of transmitted data.
Medium because HTTP API calls containing user data are readable by any network intermediary between the extension and the server — encrypted transmission via HTTPS is a baseline security requirement, not an advanced hardening measure.
Replace every HTTP URL in fetch() and XMLHttpRequest calls with HTTPS equivalents:
// BAD — plaintext transmission
await fetch('http://api.example.com/user/profile', {
method: 'POST',
body: JSON.stringify(userData)
});
// GOOD — encrypted transmission
await fetch('https://api.example.com/user/profile', {
method: 'POST',
body: JSON.stringify(userData)
});
Also verify that your server enforces HSTS and TLS 1.2+ — an HTTPS URL that redirects to HTTP via server misconfiguration is as dangerous as a plain HTTP call. Run your endpoint through SSL Labs to confirm TLS configuration.
ID: extension-data-privacy.storage-security.api-calls-https
Severity: medium
What to look for: Search for fetch() and XMLHttpRequest calls to external APIs. Check whether all URLs use HTTPS protocol. If possible, determine the TLS version used by the server (check security documentation or headers). Look for any HTTP (non-encrypted) calls.
Pass criteria: Count all fetch() and XMLHttpRequest URLs in the codebase. 100% of API calls that transmit user data must use HTTPS. No HTTP endpoints are used for data transmission.
Fail criteria: Any external API call uses HTTP instead of HTTPS. API endpoints use older TLS versions (TLS 1.0 or 1.1) or no TLS enforcement. Quote the actual HTTP URLs found.
Skip (N/A) when: The extension does not make external API calls, or all external calls are to public/non-sensitive endpoints.
Detail on fail: Identify the unencrypted calls. Example: "User profile data sent to http://api.example.com/profile (not HTTPS) — transmitted in plaintext" or "External API configured with https:but endpoint redirects tohttp:// without forcing secure connection."
Remediation: Use HTTPS for all external API calls:
// BAD
fetch('http://api.example.com/user', { ... });
// GOOD
fetch('https://api.example.com/user', { ... });
Configure servers to enforce TLS 1.2+ and HSTS headers.