Will It Vibe logoWill It Vibe?
CSHARP-009Critical severity-25 points

Process-wide TLS certificate validation disabled

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

ServicePointManager.ServerCertificateValidationCallback is assigned a callback that unconditionally returns true, disabling certificate validation for every HTTPS/TLS connection made by the process, not just one client.

Why it matters

ServicePointManager.ServerCertificateValidationCallback is a process-wide setting: assigning it a callback that always returns true disables certificate validation for every HTTPS and TLS connection the process makes from that point on, not just the one client that seemed to need it. Any connection made afterward, including ones that have nothing to do with the original problem, silently accepts any certificate, opening the door to man-in-the-middle attacks across the whole application.

How to fix it

Remove the callback so default certificate validation applies. If a specific connection legitimately needs a custom trust decision (an internal CA, a self-signed cert in a dev environment), scope it to that one connection using HttpClientHandler.ServerCertificateCustomValidationCallback instead of the process-wide ServicePointManager callback, and validate the certificate's thumbprint or chain against a known-good value rather than returning true unconditionally.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks