NODE_TLS_REJECT_UNAUTHORIZED set to 0
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
Setting NODE_TLS_REJECT_UNAUTHORIZED=0 disables certificate validation for the entire Node process, not just one request.
Why it matters
NODE_TLS_REJECT_UNAUTHORIZED=0 disables certificate validation for every TLS connection the Node process makes, not just one request, so all outbound HTTPS becomes vulnerable to interception. Node itself prints a warning that this is insecure. Set in a Dockerfile or CI env, it silently weakens every deployed instance.
How to fix it
Delete the variable from your code, Dockerfiles, and CI/deploy configuration. For a private CA, use NODE_EXTRA_CA_CERTS to add the trusted certificate, or pass a ca option on the specific client. Never set the reject flag to 0 in an environment that serves users.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo