Check HTTPS is always used

2025-11-03 18:03:25 -05:00 · 2017-04-01 21:33:56 -04:00
parent 62f0ae600b
commit 47f1b82c0b
1 changed files with 5 additions and 0 deletions
--- a/client.go
+++ b/client.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"strings"
 )

 type Client struct {
@@ -62,6 +63,10 @@ func (c *Client) IndentRequests() bool {
 // read from 'r'. The caller is responsible for closing the http Response.Body
 // (see the http module's documentation for more information)
 func RawRequest(URL string, r io.Reader) (*http.Response, error) {
+	if !strings.HasPrefix(URL, "https://") {
+		return nil, errors.New("Refusing to send OFX request with possible plain-text password over non-https protocol")
+	}
+
 	response, err := http.Post(URL, "application/x-ofx", r)
 	if err != nil {
 		return nil, err