Improper Certificate Validation Using requests Module

PY523

improper_certificate_validation

CWE-295

⛔️ Error

🔒 Professional Plan

---

The requests package includes a number of standard methods for accessing HTTP servers. The common parameter in these methods is verify to denote whether to verify the server's host certificate. If unset, the default value is True to verify. However, by setting the value to False, the code is subject to a number of security risks including:

• Man-in-the-middle attacks
• Session hijacking
• Data theft

Example

import requests


requests.get("https://localhost", verify=False)

Remediation

Setting the value of the verify argument to True or removing the keyword argument accomplish the same effect of ensuring that certificates are verified.

import requests


requests.get("https://localhost", verify=True)

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY523) or rule category name (improper_certificate_validation).

Using rule ID

fix

import requests


# suppress: PY523
requests.get("https://localhost", verify=False)

Using category name

fix

import requests


# suppress: improper_certificate_validation
requests.get("https://localhost", verify=False)

See also

info

• Requests HTTP for Humans™
• CWE-295: Improper Certificate Validation