CodeQL documentation

Disabling certificate validation

ID: js/disabling-certificate-validation
Kind: problem
Security severity: 7.5
Severity: error
Precision: very-high
   - security
   - external/cwe/cwe-295
   - external/cwe/cwe-297
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Certificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur

When testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.


Do not disable certificate validation for TLS connections.


The following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the rejectUnauthorized option of the connection is set to false. As a consequence, anyone can impersonate the remote server, and receive the confidential information.

let https = require("https");

    hostname: "",
    port: 443,
    method: "POST",
    path: "send-confidential-information",
    rejectUnauthorized: false // BAD
  response => {
    // ... communicate with

To make the connection secure, the rejectUnauthorized option should have its default value, or be explicitly set to true.


  • © GitHub, Inc.
  • Terms
  • Privacy