Missing TLS validation

• Rule ID: javascript_node_missing_tls_validation
• Languages: javascript
• Source: missing_tls_validation.yml

Description

Failing to validate TLS certificates exposes your application to significant security risks, including Man-in-the-Middle attacks and data interception. This vulnerability occurs when the application does not properly verify the SSL/TLS certificate of the server it is connecting to, allowing attackers to potentially intercept or alter data in transit.

Remediations

• Do not disable SSL/TLS certificate validation. Specifically, avoid setting the NODE_TLS_REJECT_UNAUTHORIZED variable to zero in environments where security is a concern. This action turns off TLS/SSL certificate validation, leaving your application vulnerable to attacks.

  process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_node_missing_tls_validation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_node_missing_tls_validation