JavaScript

JavaScript

Made by DeepSource

Certificate validation is disabled in TLS connection JS-S1017

Security
Critical
Autofix a07 cwe-295 owasp top 10

Certificate validation is an important aspect of Transport Layer Security (TLS) connections as it helps to ensure the authenticity and integrity of the data being transmitted. Disabling certificate validation can lead to several security risks, including Man-in-the-Middle Attacks. Without certificate validation, it is possible for an attacker to intercept the communication and present a fake certificate to the client. This allows the attacker to read and potentially modify the data being transmitted.

Setting the rejectUnauthorized option to false is one such way of disabling certificate validation when initiating a TLS connection using http, https or tls modules. By default, rejectUnauthorized is always true.

Bad Practice

import tls from 'tls'
tls.connect(
  {
    rejectUnauthorized: false
  },
  response => {}
)

Recommended

import tls from 'tls'
tls.connect(
  {
    rejectUnauthorized: true // alternatively: Do not set `rejectUnauthorized`, as it is configured correctly by default.
  },
  response => {}
)

References