Go

Go

Made by DeepSource

MinVersion is missing from this TLS configuration GO-S1020

Security
Major
a05 a02 a06 cwe-327 sans top 25 owasp top 10

MinVersion is missing from this TLS configuration. As the default value is TLS 1.0, which is considered insecure, it is recommended to explicitly set the MinVersion to a secure version of TLS, such as VersionTLS13.

Bad practice

client := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            KeyLogWriter:       w,
            Rand:               rand{},
            InsecureSkipVerify: true,
        },
    },
}

Recommended

client := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            KeyLogWriter:       w,
            MinVersion:         tls.VersionTLS13, // min version set
            Rand:               rand{},
            InsecureSkipVerify: true,
        },
    },
}

References