include::../description.adoc[] == Noncompliant Code Example There is no way to disable certificate verification in tls, https and request modules but it is possible to not reject request when verification fails. https://nodejs.org/api/https.html[https] built-in module: ---- let options = { hostname: 'www.example.com', port: 443, path: '/', method: 'GET', secureProtocol: 'TLSv1_2_method', rejectUnauthorized: false ; // Noncompliant }; let req = https.request(options, (res) => { res.on('data', (d) => { process.stdout.write(d); }); }); // Noncompliant ---- https://nodejs.org/api/tls.html[tls] built-in module: ---- let options = { secureProtocol: 'TLSv1_2_method', rejectUnauthorized: false ; // Noncompliant }; let socket = tls.connect(443, "www.example.com", options, () => { process.stdin.pipe(socket); process.stdin.resume(); }); // Noncompliant ---- https://www.npmjs.com/package/request[request] module: ---- let socket = request.get({ url: 'www.example.com', secureProtocol: 'TLSv1_2_method', rejectUnauthorized: false ; // Noncompliant }); ---- == Compliant Solution https://nodejs.org/api/https.html[https] built-in module: ---- let options = { hostname: 'www.example.com', port: 443, path: '/', method: 'GET', secureProtocol: 'TLSv1_2_method' }; let req = https.request(options, (res) => { res.on('data', (d) => { process.stdout.write(d); }); }); // Compliant: by default rejectUnauthorized is set to true ---- https://nodejs.org/api/tls.html[tls] built-in module: ---- let options = { secureProtocol: 'TLSv1_2_method' }; let socket = tls.connect(443, "www.example.com", options, () => { process.stdin.pipe(socket); process.stdin.resume(); }); // Compliant: by default rejectUnauthorized is set to true ---- https://www.npmjs.com/package/request[request] module: ---- let socket = request.get({ url: 'https://www.example.com/', secureProtocol: 'TLSv1_2_method' // Compliant }); // Compliant: by default rejectUnauthorized is set to true ---- include::../see.adoc[]