Improper Certificate Validation Using httpx Module

PY508

improper_certificate_validation

CWE-295

⛔️ Error

🔒 Professional Plan

---

The httpx package includes a number of standard methods for accessing HTTP servers. The common parameter in these methods is verify to denote whether to verify the server's host certificate. If unset, the default value is True to verify. However, by setting the value to False, the code is subject to a number of security risks including:

• Man-in-the-middle attacks
• Session hijacking
• Data theft

Example

---

Error

import httpx


httpx.get("https://localhost", verify=False)

Remediation

---

fix

Setting the value of the verify argument to True or removing the keyword argument accomplish the same effect of ensuring that certificates are verified.

import httpx


httpx.get("https://localhost", verify=True)

False Positives

---

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY508) or rule category name (improper_certificate_validation).

Using rule ID

fix

import httpx


# suppress: PY508
httpx.get("https://localhost", verify=False)

Using category name

fix

import httpx


# suppress: improper_certificate_validation
httpx.get("https://localhost", verify=False)

See also

---

info

• HTTPX
• CWE-295: Improper Certificate Validation