Skip to main content

Improper Certificate Validation Using httpx Module​

📐 PY508
đŸˇī¸ improper_certificate_validation
â„šī¸ CWE-295
â›”ī¸ Error
🔒 Professional Plan

The httpx package includes a number of standard methods for accessing HTTP servers. The common parameter in these methods is verify to denote whether to verify the server's host certificate. If unset, the default value is True to verify. However, by setting the value to False, the code is subject to a number of security risks including:

  • Machine-in-the-middle attacks
  • Session hijacking
  • Data theft

Example​

import httpx


httpx.get("https://localhost", verify=False)

Remediation​

Setting the value of the verify argument to True or removing the keyword argument accomplish the same effect of ensuring that certificates are verified.

import httpx


httpx.get("https://localhost", verify=True)

False Positives​

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY508) or rule category name (improper_certificate_validation).

Fix Iconfix
import httpx


# suppress: PY508
httpx.get("https://localhost", verify=False)

See also​