== How to fix it in Python Standard Library

=== Code examples

include::../../common/fix/code-rationale.adoc[]

Certificate validation is not enabled by default when
``++_create_unverified_context++`` or ``++_create_stdlib_context++`` is used.  It is
recommended to use `create_default_context`, without explicitly setting
`check_hostname` to `False`. +
Doing so creates a secure context that validates both hostnames and
certificates.

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
import ssl

example = ssl._create_stdlib_context() # Noncompliant

example = ssl._create_default_https_context()
example.check_hostname = False # Noncompliant
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
import ssl

example = ssl.create_default_context()

example = ssl._create_default_https_context()
----

=== How does this work?

include::../../common/fix/validation.adoc[]