AWS logo
Amazon CodeGuruDetector Library

Improper certificate validation High

Lack of validation or insufficient validation of a security certificate can lead to host impersonation and sensitive data leaks.

Detector ID
javascript/improper-certificate-validation@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1var tls = require("tls")
2var fs = require("fs")
3
4function improperCertificateValidationNoncompliant() {
5    var options = {
6        host: 'encrypted.example.com',
7        // Noncompliant: rejectUnauthorized is set to 'false'.
8        rejectUnauthorized: false
9    }
10
11    tls.createServer(options, (req, res) => {
12        res.writeHead(200)
13        res.end()
14    }).listen(8000)
15}

Compliant example

1var tls = require("tls")
2var fs = require("fs")
3
4function improperCertificateValidationCompliant() {
5    var options = {
6        host: 'encrypted.example.com',
7        // Compliant: certificate is provided.
8        key: fs.readFileSync('keys/client-key.pem'),
9        cert: fs.readFileSync('keys/client-cert.pem')
10    }
11
12    tls.createServer(options, (req, res) => {
13        res.writeHead(200)
14        res.end()
15    }).listen(8000)
16}