Certificate Validation Disabled
Disabling TLS certificate validation with NODE_TLS_REJECT_UNAUTHORIZED=0 or rejectUnauthorized: false allows man-in-the-middle attacks on all HTTPS connections.
How It Works
TLS certificate validation ensures that when your application connects to api.stripe.com, it is actually talking to Stripe and not an attacker intercepting the connection. When developers encounter certificate errors during development (self-signed certs, expired certs, hostname mismatches), they often disable validation entirely with NODE_TLS_REJECT_UNAUTHORIZED=0 or rejectUnauthorized: false. If this reaches production, any attacker on the same network can perform a man-in-the-middle attack. They present their own certificate, the application accepts it without question, and all HTTPS traffic — including API keys, user credentials, and payment data — is readable by the attacker. This is especially dangerous in cloud environments where network traffic passes through shared infrastructure.
// Disabling TLS validation globally
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
// Or per-request
const https = require('https');
const agent = new https.Agent({ rejectUnauthorized: false });
fetch('https://api.stripe.com/v1/charges', { agent });// For self-signed certs in dev, add the CA certificate
const https = require('https');
const fs = require('fs');
const agent = new https.Agent({
ca: fs.readFileSync('certs/dev-ca.pem'),
rejectUnauthorized: true
});
// In production, use default validation (rejectUnauthorized defaults to true)
fetch('https://api.stripe.com/v1/charges');Real-World Example
In 2014, researchers found that 33% of Android apps using HTTPS had disabled certificate validation, making them vulnerable to man-in-the-middle attacks. Multiple banking apps were affected. The same pattern has been found in Node.js applications where NODE_TLS_REJECT_UNAUTHORIZED=0 was set as a quick fix during development and never removed.
How to Prevent It
- Never set NODE_TLS_REJECT_UNAUTHORIZED=0 in any environment
- For development with self-signed certs, add the CA certificate to the agent instead
- Use ESLint rules to detect and block rejectUnauthorized: false in code
- Audit environment variables and startup scripts for TLS bypass settings before deployment
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
ECB Mode
mediumUsing ECB (Electronic Codebook) mode for encryption produces identical ciphertext blocks for identical plaintext blocks, revealing patterns in the encrypted data.
Static IV/Nonce
highUsing a hardcoded or constant Initialization Vector (IV) or nonce for encryption defeats the purpose of the IV and allows attackers to detect patterns and decrypt data.
Weak Key Size
mediumUsing cryptographic keys shorter than recommended minimums (RSA less than 2048 bits, AES less than 128 bits) makes encryption vulnerable to brute-force attacks with modern hardware.
Weak PRNG for Security
highUsing Math.random() or Date.now() to generate tokens, session IDs, or reset codes produces predictable values that attackers can guess or reproduce.