Edit

AvoidUsingAllowUnencryptedAuthentication

Severity Level: Warning

Description

This rule detects the AllowUnencryptedAuthentication parameter used with Invoke-WebRequest and Invoke-RestMethod cmdlets. When AllowUnencryptedAuthentication is used, it permits credentials and secrets to be transmitted over unencrypted connections, creating a security risk.

Avoid using this parameter unless you must maintain compatibility with legacy systems that require unencrypted authentication.

To learn more, see Invoke-WebRequest and Invoke-RestMethod.

Example

Noncompliant

Invoke-WebRequest foo -AllowUnencryptedAuthentication

Compliant

Invoke-WebRequest foo