# OAuth2 authorization code intercepted by reverse proxy due to missing TLS termination at proxy

- **ID:** `security/oauth2-authorization-code-interception-via-reverse-proxy`
- **Domain:** security
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 92%

## Root Cause

When a reverse proxy terminates TLS but forwards plain HTTP to the backend, the authorization code is transmitted in cleartext on the internal network, allowing any process on that network segment to intercept it.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| OAuth2 2.0 | active | — | — |
| nginx 1.24.0 | active | — | — |
| Apache HTTP Server 2.4.57 | active | — | — |
| Spring Security 6.1.0 | active | — | — |

## Workarounds

1. **Configure reverse proxy to terminate TLS at the proxy and re-encrypt traffic to backend (e.g., nginx proxy_pass with HTTPS). Example: proxy_pass https://backend:443; proxy_ssl_verify off;** (95% success)
   ```
   Configure reverse proxy to terminate TLS at the proxy and re-encrypt traffic to backend (e.g., nginx proxy_pass with HTTPS). Example: proxy_pass https://backend:443; proxy_ssl_verify off;
   ```
2. **Use mTLS between proxy and backend to ensure encrypted channel even on internal network.** (85% success)
   ```
   Use mTLS between proxy and backend to ensure encrypted channel even on internal network.
   ```

## Dead Ends

- **Adding HTTPS certificate to the backend server without changing proxy configuration** — The proxy still forwards HTTP; backend HTTPS doesn't protect the wire between proxy and backend. (95% fail)
- **Using a self-signed certificate on the backend to force HTTPS termination at backend** — Self-signed certs cause backend SSL errors; the proxy may still strip TLS or fail to forward. (80% fail)