Missing SSL certificate verification detected.

• Rule ID: php_lang_ssl_verification
• Languages: php
• Source: ssl_verification.yml

Description

Applications processing sensitive data should use valid SSL certificates. This rule checks if SSL verification is enabled.

Remediations

❌ Do not disable SSL certificate validation in your HTTP client

✅ Ensure verification of both peers and hostnames is enabled in your HTTP client:

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, true);

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_ssl_verification