Python Httpx Cleartext Sensitive Information
Description
Detects when sensitive information is transmitted over cleartext (non-HTTPS) using Python httpx library. This creates a security risk as data sent over HTTP can be intercepted and read by attackers performing man-in-the-middle attacks.
Detection Strategy
• Check if Python httpx library is imported in the code
• Identify calls to httpx functions (get, post, put, patch, delete, request, stream) or httpx.Client/AsyncClient methods
• Look for HTTP URLs (those not using HTTPS protocol)
• Check if the requests contain sensitive information in parameters, data, json, or headers payloads
• Flag cases where sensitive data is sent over non-secure HTTP connections
Vulnerable code example
import httpx
# VULNERABLE: Password sent over cleartext HTTP
httpx.post("http://api.example.com/login", json={"password": "secret123"})
# VULNERABLE: API key exposed in query string over cleartext HTTP
httpx.get("http://api.example.com/data", params={"api_key": "key_abc"})
...✅ Secure code example
import httpx
# SAFE: HTTPS encrypts data in transit
httpx.post("https://api.example.com/login", json={"password": "secret123"})
# SAFE: Non-sensitive payload key
httpx.post("http://api.example.com/metrics", json={"cpu_usage": 0.75})
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.