Improper Certificate Validation
Description
The application sets NODE_TLS_REJECT_UNAUTHORIZED to '0', which instructs Node.js to disable TLS/SSL certificate validation. This configuration allows the application to accept self-signed certificates or certificates from untrusted authorities, undermining the TLS security model. Disabling TLS/SSL certificate validation compromises the integrity and confidentiality of data in transit between the client and server. It makes the application vulnerable to man-in-the-middle (MITM) attacks, where an attacker could intercept or alter the data being exchanged.
Examples
Insecure Code
javascript
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';Secure Code
javascript
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '1';Remediation
Do not disable TLS/SSL certificate validation in production environments. Ensure that NODE_TLS_REJECT_UNAUTHORIZED is set to '1' or is removed entirely from the production configuration.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0356 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-295 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | TLS, SSL, Certificate Validation |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |