Will It Vibe logoWill It Vibe?
CRYPTO-018Critical severity-25 points

NODE_TLS_REJECT_UNAUTHORIZED set to 0

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

Setting NODE_TLS_REJECT_UNAUTHORIZED=0 disables certificate validation for the entire Node process, not just one request.

Why it matters

NODE_TLS_REJECT_UNAUTHORIZED=0 disables certificate validation for every TLS connection the Node process makes, not just one request, so all outbound HTTPS becomes vulnerable to interception. Node itself prints a warning that this is insecure. Set in a Dockerfile or CI env, it silently weakens every deployed instance.

How to fix it

Delete the variable from your code, Dockerfiles, and CI/deploy configuration. For a private CA, use NODE_EXTRA_CA_CERTS to add the trusted certificate, or pass a ca option on the specific client. Never set the reject flag to 0 in an environment that serves users.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks