HIGH missing tlschijwt tokens

Missing Tls in Chi with Jwt Tokens

Scan for missing tls in chi

Missing Tls in Chi with Jwt Tokens — how this specific combination creates or exposes the vulnerability

Transport Layer Security (TLS) ensures confidentiality and integrity for HTTP traffic. When a Chi-based API endpoint does not enforce TLS, any data exchanged—including JWT tokens—can be observed or altered in transit. JWTs are often used for stateless authentication and authorization; they are typically transmitted in the Authorization header as a bearer token. If the service is reachable over HTTP, an on-path attacker can intercept these tokens, leading to token theft, session hijacking, or impersonation.

Chi is a functional routing library for Clojure web applications. A common misconfiguration is exposing a Chi handler on HTTP while it issues or validates JWTs, without redirecting to HTTPS or requiring TLS at the server/load balancer level. Because JWTs often contain identity claims and may not be encrypted themselves (they are typically signed, not encrypted), intercepting them reveals user identity and permissions. This becomes critical when applications mistakenly embed sensitive information in the JWT payload, relying only on signature integrity while neglecting transport protection.

Another subtle risk involves service-to-service communication: internal Chi services that accept JWTs over HTTP within a supposedly trusted network may inadvertently allow token leakage if logs or monitoring capture Authorization headers. The scanner category Data Exposure can detect such endpoints during an unauthenticated scan. Additionally, weak or missing TLS can enable downgrade attacks where a client is tricked into using an insecure connection, making signature validation irrelevant if the token never reaches the server securely.

Jwt Tokens-Specific Remediation in Chi — concrete code fixes

Remediation focuses on enforcing TLS and ensuring JWTs are only transmitted over secure channels. Below are concrete examples for a Chi application using the buddy-sign library for JWT handling.

Enforce HTTPS in Chi routes

Use middleware to reject or redirect non-TLS requests before they reach handlers that issue or validate JWTs.

(ns myapp.core
  (:require [compojure.core :refer [defroutes GET]]
            [compojure.route :as route]
            [hiccup.core :refer [html]]
            [buddy.sign.jwt :as jwt]))

(defn secure-only-handler [request]
  (if (= (:server-port request) 443)
    {:status 200 :body "OK"}
    {:status 301 :headers {"Location" (str "https://" (:server-name request) (:request-uri request))}
     :body "Redirecting to HTTPS"}))

(defroutes app-routes
  (GET "/login" [] (login-form))
  (GET "/callback" [] callback-handler)
  (route/not-found "Not Found"))

(def app
  (-> app-routes
      (wrap-defaults site-defaults)
      (wrap-secure-only))) ;; custom middleware ensuring TLS

JWT issuance and validation over HTTPS

When issuing a JWT, ensure the token is handed to the client only when the request arrived over HTTPS. Similarly, when validating tokens, prefer checking the token binding to the channel’s TLS properties where available.

(ns myapp.auth
  (:require [buddy.sign.jwt :as jwt]
            [ring.util.response :as resp]))

(def secret-key "s3cr3t-k3y-3n0ugh-l3ngth")

(defn issue-token [user-map request]
  (if (= (:scheme request) :https)
    (let [token (jwt/sign {:sub (:uid user-map) :role (:role user-map)} secret-key)]
      (resp/response {:token token}))
    (resp/response {:error "Use HTTPS to obtain a token"} :status 403)))

(defn validate-token [request]
  (let [token (some-> request :headers (get "authorization"))
        claims (jwt/unsign token secret-key {:alg :hs256})]
    (if claims
      {:status 200 :body (str "Authenticated as " (:sub claims))}
      {:status 401 :body "Invalid token"})))

Server-level TLS enforcement

In production, enforce TLS at the proxy or load balancer in front of Chi. Configure your server to redirect HTTP to HTTPS and to require valid certificates for all API endpoints, especially those handling JWTs.

# Example Nginx snippet
server {
    listen 80;
    server_name api.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/api.example.com.crt;
    ssl_certificate_key /etc/ssl/private/api.example.com.key;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Authorization $http_authorization;
    }
}

Related CWEs: encryption

CWE IDNameSeverity
CWE-319Cleartext Transmission of Sensitive Information HIGH
CWE-295Improper Certificate Validation HIGH
CWE-326Inadequate Encryption Strength HIGH
CWE-327Use of a Broken or Risky Cryptographic Algorithm HIGH
CWE-328Use of Weak Hash HIGH
CWE-330Use of Insufficiently Random Values HIGH
CWE-338Use of Cryptographically Weak PRNG MEDIUM
CWE-693Protection Mechanism Failure MEDIUM
CWE-757Selection of Less-Secure Algorithm During Negotiation HIGH
CWE-261Weak Encoding for Password HIGH
Scan for missing tls in chi Free API security scan

Frequently Asked Questions

Why are JWT tokens particularly risky when transmitted without TLS?
JWTs often carry identity and permission claims. Without TLS, tokens can be intercepted, enabling impersonation and privilege escalation even if the token is cryptographically signed, because the secrecy of the channel is required to prevent token theft.
Does using HTTPS alone fully protect JWT tokens in Chi applications?
HTTPS protects tokens in transit, but you should also avoid embedding sensitive data in the JWT payload, use short expirations, validate signatures rigorously, and enforce TLS at the server or load balancer level for all endpoints that issue or validate tokens.

Related Pages

Missing Tls in ChiHow missing TLS creates critical vulnerabilities in Chi Go applications, with specific detection methods and Chi-native Missing Tls with Jwt TokensLearn how missing TLS compromises JWT tokens through interception, replay attacks, and session hijacking. Discover detecMissing Tls in Chi on AzureUnderstand and remediate missing TLS in Chi apps on Azure, with concrete code and Azure settings to enforce HTTPS.Missing Tls in Chi on DockerUnderstand how missing TLS in Chi with Docker exposes endpoints, and apply concrete Dockerfile and runtime fixes to enfoMissing Tls in Chi on CloudflareUnderstand missing TLS in Chi behind Cloudflare, associated risks, and concrete code fixes to enforce origin encryption.Missing Tls in Chi on AwsmiddleBrick scans identify Missing Tls in Chi on AWS, providing severity, remediation guidance, and integration options.Hipaa: Missing Tls in ChiExplore HIPAA implications of Missing TLS in Chi APIs, and apply concrete code fixes to enforce HTTPS and strong protocoGdpr: Missing Tls in ChiExplore GDPR implications of missing TLS in Chi applications, with Chi-specific remediation examples and middleBrick detIso 27001: Missing Tls in ChiExplore ISO 27001 controls for missing TLS in Chi services, with Chi-specific code examples and remediation guidance.Cis: Missing Tls in ChiCIS guidance for Missing TLS in Chi apps: enforce HTTPS via reverse proxy or http.Server, use HSTS, and validate with MiMissing Tls in Chi with DynamodbUnderstand and fix Missing TLS in Chi services using DynamoDB, with concrete F# code examples and remediation guidance.Missing Tls in Chi with CockroachdbMissing Tls in Chi with Cockroachdb: risks and concrete Go code fixes to enable TLS and secure database connections.