# Missing or Permissive SSL Hostname Verifier

## Overview

* **Rule ID**: `java_lang_ssl_hostname_verifier`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-295

## Description

Always verify the hostname when establishing an SSL/TLS connection as a best security practice. Neglecting this step exposes your application to Man-in-the-Middle attacks, a vulnerability that occurs when the application does not ensure that the server's hostname matches the hostname specified in the server's SSL certificate.

## Remediation Guidelines

* **Do not use** `ALLOW_ALL_HOSTNAME_VERIFIER` or any similarly permissive hostname verifiers. These verifiers fail to properly validate if the server's hostname matches the SSL certificate, compromising the security of your connection.

  ```java
  HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
  HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); // unsafe
  ```

## References

* [**CWE-295: Improper Certificate Validation**](https://cwe.mitre.org/data/definitions/295.html)
* [**OWASP Top 10: A07:2021 - Identification and Authentication Failures**](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)