Missing TLS validation

Overview

Rule ID: javascript_node_missing_tls_validation
Applicable Languages: Javascript
Weakness ID: CWE-295

Description

Neglecting to validate TLS certificates exposes your application to serious security risks, such as Man-in-the-Middle attacks and data interception. This vulnerability arises when the application does not properly verify the SSL/TLS certificate of the server it connects to, potentially allowing attackers to intercept or alter data in transit.

Remediation Guidelines

Do not disable SSL/TLS certificate validation. In particular, avoid setting the NODE_TLS_REJECT_UNAUTHORIZED variable to zero in security-sensitive environments. Disabling this validation compromises your application's security by leaving it open to potential attacks.
```
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing Server Configuration to reduce Server Fingerprinting NextObservable Timing Discrepancy

Last updated 1 month ago