Lack of validation or insufficient validation of a security certificate can lead to host impersonation and sensitive data leaks.
1var tls = require("tls")
2var fs = require("fs")
3
4function improperCertificateValidationNoncompliant() {
5 var options = {
6 host: 'encrypted.example.com',
7 // Noncompliant: rejectUnauthorized is set to 'false'.
8 rejectUnauthorized: false
9 }
10
11 tls.createServer(options, (req, res) => {
12 res.writeHead(200)
13 res.end()
14 }).listen(8000)
15}
1var tls = require("tls")
2var fs = require("fs")
3
4function improperCertificateValidationCompliant() {
5 var options = {
6 host: 'encrypted.example.com',
7 // Compliant: certificate is provided.
8 key: fs.readFileSync('keys/client-key.pem'),
9 cert: fs.readFileSync('keys/client-cert.pem')
10 }
11
12 tls.createServer(options, (req, res) => {
13 res.writeHead(200)
14 res.end()
15 }).listen(8000)
16}