By DeepSource

Deprecated HttpClient implementations should not be used JAVA-S1067

Security a02 a06 owasp top 10

The DefaultHttpClient class has been deprecated since Apache httpclient library version 4.3. Avoid using it, as it does not make use of the latest TLS standard, leading to the possibility of a MiTM (Man in The Middle) attack.

Bad Practice

HttpClient client = new DefaultHttpClient();


There are a number of alternatives you can use instead.

Set the http.protocols system property to take advantage of the latest TLS version:

java ... -Dhttps.protocols=TLSv1.2,TLSv1.3

Now, you can make use of one of the following alternatives to create a suitable HttpClient.

HttpClient client = HttpClients.createSystem();
HttpClient client = HttpClientBuilder.create().useSystemProperties().build();


  • OWASP Top Ten (2021) - Category A02 - Cryptographic Failures
  • OWASP Top Ten (2021) - Category Ad06 - Vulnerable and Outdated Components