Remote content fetched over plaintext HTTP
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
curl/wget against a literal http:// URL sends the request, and reads back the response, in the clear: a network attacker between this machine and the server can read or replace what comes back. This is a heuristic on a hardcoded, non-localhost URL; an internal/intranet address behind a trusted network may be an intentional exception, but anything fetched from the public internet should use https://.
Why it matters
A curl/wget request to a literal http:// URL sends the request, and reads back the response, in the clear. A network attacker positioned between this machine and the server, a hostile Wi-Fi network, a compromised router, a malicious exit node, can read or silently replace whatever comes back. This is a heuristic on a hardcoded, non-localhost URL; a genuinely internal address on a trusted private network can be a deliberate exception.
How to fix it
Change the URL to https:// wherever the server supports it (almost every public service does today). If a specific internal endpoint genuinely has no TLS available, confirm the network path is trusted and isolated, and consider putting a TLS-terminating proxy in front of it instead.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo