Improper Certificate Validation Using httpx Module
PY508
improper_certificate_validation
CWE-295
⛔️ Error
🔒 Professional Plan
The httpx package includes a number of standard methods for accessing
HTTP servers. The common parameter in these methods is verify to denote
whether to verify the server's host certificate. If unset, the default value
is True to verify. However, by setting the value to False, the code is subject
to a number of security risks including:
- Machine-in-the-middle attacks
- Session hijacking
- Data theft
Example
import httpx
httpx.get("https://localhost", verify=False)
Remediation
Setting the value of the verify argument to True or removing the keyword argument accomplish the same effect of ensuring that certificates are verified.
import httpx
httpx.get("https://localhost", verify=True)
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY508) or
rule category name (improper_certificate_validation).
- Using rule ID
- Using category name
fix
import httpx
# suppress: PY508
httpx.get("https://localhost", verify=False)
fix
import httpx
# suppress: improper_certificate_validation
httpx.get("https://localhost", verify=False)