TLS certificate verification disabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
Disabling certificate verification (rejectUnauthorized: false, verify=False) exposes traffic to MITM attacks.
Why it matters
Turning off certificate verification means your app will trust any server that answers, including one an attacker put in the middle of the connection. Every credential and payload sent over that connection can be read or altered in transit. These flags usually get added to silence a local certificate error and then ship to production.
How to fix it
Remove rejectUnauthorized: false and verify=False, then fix the underlying certificate issue properly: for internal or self-signed CAs, point Node at the CA bundle with NODE_EXTRA_CA_CERTS or the https agent's ca option, and in Python pass verify='/path/to/ca.pem' or set REQUESTS_CA_BUNDLE. Never ship a client that skips verification.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo