CodeQL documentation

Disabled TLS certificate check

ID: go/disabled-certificate-check
Kind: problem
Severity: warning
Precision: high
   - security
   - external/cwe/cwe-295
Query suites:
   - go-code-scanning.qls
   - go-security-extended.qls
   - go-security-and-quality.qls

Click to see the query in the CodeQL repository

The field InsecureSkipVerify controls whether a TLS client verifies the server’s certificate chain and host name. If set to true, the client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.


Do not set InsecureSkipVerify to true except in tests.


The following code snippet shows a function that performs an HTTP request over TLS with certificate verification disabled:

package main

import (

func doAuthReq(authReq *http.Request) *http.Response {
	tr := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	client := &http.Client{Transport: tr}
	res, _ := client.Do(authReq)
	return res

While this is acceptable in a test, it should not be used in production code. Instead, certificates should be configured such that verification can be performed.