Improper Certificate Validation Using httpx
Moduleâ
đ PY508
đˇī¸ improper_certificate_validation
âšī¸ CWE-295
âī¸ Error
đ Professional Plan
The httpx
package includes a number of standard methods for accessing
HTTP servers. The common parameter in these methods is verify
to denote
whether to verify the server's host certificate. If unset, the default value
is True to verify. However, by setting the value to False, the code is subject
to a number of security risks including:
- Machine-in-the-middle attacks
- Session hijacking
- Data theft
Exampleâ
import httpx
httpx.get("https://localhost", verify=False)
Remediationâ
Setting the value of the verify argument to True or removing the keyword argument accomplish the same effect of ensuring that certificates are verified.
import httpx
httpx.get("https://localhost", verify=True)
False Positivesâ
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY508
) or
rule category name (improper_certificate_validation
).
- Using rule ID
- Using category name
fix
import httpx
# suppress: PY508
httpx.get("https://localhost", verify=False)
fix
import httpx
# suppress: improper_certificate_validation
httpx.get("https://localhost", verify=False)