SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

T01 TLS Verification Disabled

What this means

SiteShadow found code that disables TLS certificate verification (for example verify=False, rejectUnauthorized: false, -k/--insecure).

Why it matters

Safer examples

1) Keep verification enabled (Python)

import requests

requests.get(url, timeout=10)  # verify=True by default

2) Fix the root cause instead of disabling checks

3) If you truly need a dev-only override, guard it hard

const insecureDevOnly = process.env.INSECURE_TLS === "true";
if (insecureDevOnly && process.env.NODE_ENV === "production") {
  throw new Error("INSECURE_TLS cannot be enabled in production");
}

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.