Typescript Tls Reject Unauthorized False
Description
Detects when HTTPS requests are configured to ignore TLS certificate validation by setting rejectUnauthorized to false. This creates a significant security risk by allowing man-in-the-middle attacks since invalid or malicious TLS certificates will be accepted.
Detection Strategy
• Identifies creation of HTTPS Agent objects through the pattern 'https.Agent'
• Examines configuration options passed to the HTTPS Agent constructor
• Reports a vulnerability if rejectUnauthorized is set to false in the options
• Example of vulnerable code: new https.Agent({ rejectUnauthorized: false })
Vulnerable code example
import https from 'https';
import axios from 'axios';
// Vulnerable: Disables SSL/TLS certificate validation
const agent = new https.Agent({
rejectUnauthorized: false // Security risk: Accepts invalid/self-signed certificates
});
...✅ Secure code example
import https from 'https';
import axios from 'axios';
// Secure: Enables SSL/TLS certificate validation by default
const agent = new https.Agent({
rejectUnauthorized: true // Security best practice: Enforces certificate validation
});
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.