Backend service is not enforcing HTTPS Affecting Compute Engine service in Google
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Network/ Protocols
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-ControlsCSA-CCMGDPRHIPAAISO-27001NIST-800-53PCI-DSSSOC-2
- Snyk IDSNYK-CC-00399
- creditSnyk Research Team
Description
Connection is vulnerable to being intercepted and hijacked to steal data.
How to fix?
Set protocol attribute to either HTTPS or SSL.
Example Configuration
resource "google_compute_region_backend_service" "allowed" {
region = "us-central1"
name = "region-service-399-1"
project = "test-project"
protocol = "HTTPS"
load_balancing_scheme = "INTERNAL_MANAGED"
locality_lb_policy = "ROUND_ROBIN"
}
resource "google_compute_region_backend_service" "allowed2" {
region = "us-central1"
name = "region-service-399-2"
project = "test-project"
protocol = "SSL"
load_balancing_scheme = "EXTERNAL"
locality_lb_policy = "MAGLEV"
}