-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathRequestWithoutValidation.qhelp
More file actions
36 lines (30 loc) · 1.02 KB
/
RequestWithoutValidation.qhelp
File metadata and controls
36 lines (30 loc) · 1.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Encryption is key to the security of most, if not all, online communication.
Using Transport Layer Security (TLS) can ensure that communication cannot be interrupted by an interloper.
For this reason, is is unwise to disable the verification that TLS provides.
Functions in the <code>requests</code> module provide verification by default, and it is only when
explicitly turned off using <code>verify=False</code> that no verification occurs.
</p>
</overview>
<recommendation>
<p>
Never use <code>verify=False</code> when making a request.
</p>
</recommendation>
<example>
<p>
The example shows two unsafe calls to <a href="https://semmle.com">semmle.com</a>, followed by various safe alternatives.
</p>
<sample src="examples/make_request.py" />
</example>
<references>
<li>
Python requests documentation: <a href="http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification">SSL Cert Verification</a>.
</li>
</references>
</qhelp>