TLS hostname/trust verification disabled in Java
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A no-op hostname verifier (NoopHostnameVerifier, ALLOW_ALL_HOSTNAME_VERIFIER) or a verify() that always returns true accepts any certificate for any host.
Why it matters
A no-op hostname verifier or a checkServerTrusted/verify method that always returns true tells Java to accept any certificate from any host, which removes TLS protection entirely. Attackers on the network can then impersonate any server. This pattern is a common copy-paste fix for a certificate mismatch and is dangerous in production.
How to fix it
Delete the permissive HostnameVerifier / TrustManager and use the platform defaults, which validate the chain and hostname. For a private CA, load it into a KeyStore and build an SSLContext with a TrustManagerFactory initialized from that store. For a hostname that legitimately differs, configure the correct expected name rather than accepting all.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo