HIGH missing tlsdjangocockroachdb

Missing Tls in Django with Cockroachdb

Scan for missing tls in django

Missing Tls in Django with Cockroachdb — how this specific combination creates or exposes the vulnerability

When a Django application connects to CockroachDB without Transport Layer Security (TLS), credentials, queries, and result sets traverse the network in plaintext. This exposes the application to network-level interception, credential theft, and data manipulation. middleBrick detects Missing TLS as a distinct finding because unencrypted database channels bypass authentication and authorization protections, regardless of how robust Django’s own security settings are.

In a typical deployment, Django’s database configuration in settings.py specifies connection parameters. If OPTIONS does not enforce TLS (e.g., missing 'sslmode': 'require'), the TCP connection to CockroachDB’s port remains unencrypted. CockroachDB, by default, may accept plaintext connections unless cluster certificates are enforced. An attacker who can observe or inject traffic between Django and the database can capture usernames, passwords, and sensitive data. This aligns with OWASP API Top 10’s vulnerability category related to insecure communication, and it can map to findings such as Data Exposure and Encryption in a middleBrick scan.

Moreover, Missing TLS amplifies risks like BOLA/IDOR and BFLA/Privilege Escalation when unauthorized network access exists. Even if the API endpoint itself is protected, an unprotected database channel allows lateral movement. middleBrick’s 12 checks run in parallel, and Missing TLS is flagged alongside Authentication and Encryption checks to highlight the chain of weaknesses. In CI/CD workflows, the GitHub Action can fail a build if the risk score drops below a defined threshold, encouraging teams to enforce TLS before deployment.

Cockroachdb-Specific Remediation in Django — concrete code fixes

To secure Django applications connecting to CockroachDB, enforce TLS by configuring SSL options in the database settings and ensuring the server certificates are available and validated.

1. Configure Django to require TLS

Update settings.py to include SSL connection parameters. Use 'sslmode': 'verify-full' to enforce encryption and validate the server certificate against a trusted CA. This prevents man-in-the-middle attacks and ensures the identity of the CockroachDB server.

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'mydatabase',
        'USER': 'myuser',
        'PASSWORD': 'strongpassword',
        'HOST': 'cockroachdb.example.com',
        'PORT': '26257',
        'OPTIONS': {
            'sslmode': 'verify-full',
            'sslrootcert': '/path/to/ca.pem',
            'sslcert': '/path/to/client.pem',
            'sslkey': '/path/to/client.key',
        },
    }
}

The sslrootcert points to the CA certificate that signed the CockroachDB server certificate. The sslcert and sslkey provide client certificate authentication if mutual TLS is required. Using verify-full ensures the hostname matches the certificate, which is critical for preventing spoofing.

2. CockroachDB certificate and cluster configuration

On the CockroachDB side, generate and distribute certificates appropriately. For a secure cluster, use the cockroach cert command to create CA, node, and client certificates. When starting the nodes, specify the certificate and key files. For Django to authenticate the server, the CA certificate must be distributed to the application.

Example CockroachDB start command for a node (illustrative, not executed via Django):

cockroach start --certs-dir=certs --store=node1

To test connectivity with TLS from the Django environment, you can use a script that mimics the database driver’s behavior:

import psycopg2

conn = psycopg2.connect(
    dbname='mydatabase',
    user='myuser',
    password='strongpassword',
    host='cockroachdb.example.com',
    port='26257',
    sslmode='verify-full',
    sslrootcert='/path/to/ca.pem',
)
cur = conn.cursor()
cur.execute('SELECT 1')
print(cur.fetchone())
cur.close()
conn.close()

This snippet confirms that the TLS handshake succeeds and the application can securely communicate with CockroachDB. If the certificates are missing or mismatched, the connection will fail, which is preferable to silent plaintext transmission.

3. Operational practices

Store certificate paths securely and manage them using secrets management tools. Avoid hardcoding credentials in settings; use environment variables or a secrets manager and reference them in settings.py. Rotate certificates regularly and monitor for expiration. middleBrick’s continuous monitoring (Pro plan) can alert you when TLS configurations drift or when unencrypted endpoints are detected during scans.

Related CWEs: encryption

CWE IDNameSeverity
CWE-319Cleartext Transmission of Sensitive Information HIGH
CWE-295Improper Certificate Validation HIGH
CWE-326Inadequate Encryption Strength HIGH
CWE-327Use of a Broken or Risky Cryptographic Algorithm HIGH
CWE-328Use of Weak Hash HIGH
CWE-330Use of Insufficiently Random Values HIGH
CWE-338Use of Cryptographically Weak PRNG MEDIUM
CWE-693Protection Mechanism Failure MEDIUM
CWE-757Selection of Less-Secure Algorithm During Negotiation HIGH
CWE-261Weak Encoding for Password HIGH
Scan for missing tls in django Free API security scan

Frequently Asked Questions

Does using an ORM prevent TLS-related risks?
No. An ORM like Django’s database layer only shapes queries; it does not enforce network encryption. TLS must be configured at the database connection level, as shown in the settings example.
Can I use 'sslmode=require' instead of 'verify-full'?
'sslmode=require' encrypts traffic but does not verify the server certificate, leaving you vulnerable to man-in-the-middle attacks. For production, prefer 'verify-full' with a trusted CA to ensure both encryption and identity validation.

Related Pages

Missing Tls in CockroachdbMissing TLS in CockroachDB exposes credentials and data in transit. Learn how to detect and fix TLS misconfigurations spMissing Tls in Django on CloudflareUnderstand how missing TLS enforcement behind Cloudflare exposes Django, and apply concrete header and security settingsMissing Tls in Django on AzureUnderstand and fix missing TLS in Django on Azure. Enforcement patterns, Django settings, Bicep examples, and how middleMissing Tls in Django on DigitaloceanUnderstand Missing TLS in Django on Digitalocean and apply concrete fixes using load balancer settings and Django securiHipaa: Missing Tls in DjangoHIPAA, Missing TLS, and Django: understanding and remediating lack of transport encryption in APIs with concrete code exGdpr: Missing Tls in DjangoGDPR in Missing Tls with Django: risks and remediation examples for secure data in transit.Missing Tls in Django with Bearer TokensHow missing TLS exposes Bearer tokens in Django APIs and concrete remediation steps with secure code examples.Missing Tls in Django with Mutual TlsExplore missing TLS risks in Django with mutual TLS. Learn mTLS-specific remediation, real code examples, and how middleIso 27001: Missing Tls in DjangomiddleBrick: ISO 27001 guidance for Missing TLS in Django — detection, remediation code, and secure configuration examplCis: Missing Tls in DjangoExplore Cis in Missing Tls with Django, understand the risks, and apply concrete Django settings for HTTPS enforcement aMissing Tls in Django with Hmac SignaturesMissing TLS in Django with HMAC signatures exposes replay and data exposure risks. Enforce HTTPS and validate HMAC, timeMissing Tls in Django with Basic AuthHow missing TLS with Basic Auth creates credential exposure in Django and how to enforce HTTPS with secure settings and