Missing TLS validation
- Rule ID: java_lang_ssl_verification
- Languages: java
- Source: missing_tls_validation.yml
When establishing a connection, it is important to verify the hostname to mitigate man-in-the-middle attacks, data interception and related security risks.
DefaultHttpClient is deprecated and does not verify hostnames.
Likewise, the SSL protocol is also deprecated on account of its known security vulnerabilities.
✅ Use newer HTTP Clients such as
java.net.http.HttpClient that do this validation automatically
✅ Use newer protocols like TLS instead of SSL
❌ Do not use deprecated HTTP Clients such as
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=java_lang_ssl_verification
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=java_lang_ssl_verification
Ready to take the next step? Learn more about Bearer Cloud.