Will It Vibe logoWill It Vibe?
WEBSEC-021Low severity-4 points

Outbound request over cleartext http://

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A fetch/axios/got call targets an http:// URL, sending the request and any credentials in cleartext where a network attacker can read or modify them.

Why it matters

An outbound request to an http:// URL is sent in cleartext, so anyone on the network path can read the contents and any credentials or tokens it carries, and can modify the response. On the server this often reaches internal services that assume a safe network, which is not a safe assumption. It also blocks moving the app to a strict HTTPS-only posture.

How to fix it

Change the URL to https:// and confirm the target supports TLS with a valid certificate. For internal services, terminate TLS or use a service mesh rather than plain http. Do not disable certificate verification to make https work; fix the certificate instead. Keep base URLs in configuration so they are easy to audit.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks