Missing TLS validation

Overview

• Rule ID: javascript_node_missing_tls_validation

• Applicable Languages: Javascript

• Weakness ID: CWE-295

Description

Neglecting to validate TLS certificates exposes your application to serious security risks, such as Man-in-the-Middle attacks and data interception. This vulnerability arises when the application does not properly verify the SSL/TLS certificate of the server it connects to, potentially allowing attackers to intercept or alter data in transit.

Remediation Guidelines

• Do not disable SSL/TLS certificate validation. In particular, avoid setting the NODE_TLS_REJECT_UNAUTHORIZED variable to zero in security-sensitive environments. Disabling this validation compromises your application's security by leaving it open to potential attacks.

  Copy

  process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
  

References

• CWE-295: Improper Certificate Validation

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL