T01 TLS Verification Disabled

What this means

SiteShadow found code that disables TLS certificate verification (for example verify=False, rejectUnauthorized: false, -k/--insecure).

Why it matters

MITM risk: attackers can intercept/modify traffic, steal tokens, and inject responses.
Silent failure mode: things "work" in tests and then ship to production.
Credential compromise: API keys and session tokens can leak over intercepted connections.

Safer examples

1) Keep verification enabled (Python)

import requests

requests.get(url, timeout=10)  # verify=True by default

2) Fix the root cause instead of disabling checks

Install the correct CA bundle in your container/host.
Use the provider's proper hostname (avoid IPs when certs are hostname-bound).

3) If you truly need a dev-only override, guard it hard

const insecureDevOnly = process.env.INSECURE_TLS === "true";
if (insecureDevOnly && process.env.NODE_ENV === "production") {
  throw new Error("INSECURE_TLS cannot be enabled in production");
}

How SiteShadow detects it (high level)

Flags known "disable TLS verification" knobs across common HTTP clients and runtimes.
Treats these as high severity when they appear outside explicit dev/test contexts.

References

CWE-295: https://cwe.mitre.org/data/definitions/295.html

---

← Back to Vulnerability Library

Request access View coverage