Skip to main content

no-electron-insecure-certificate-verify-proc

Disallow Electron certificate verification callbacks that trust invalid certificates.

Targeted pattern scopeโ€‹

Electron session.setCertificateVerifyProc handlers that trust invalid certificates.

What this rule reportsโ€‹

Verify-proc handlers that callback(0) or return 0.

Why this rule existsโ€‹

Overriding certificate checks can silently disable TLS trust guarantees.

โŒ Incorrectโ€‹

session.defaultSession.setCertificateVerifyProc((request, callback) => {
 callback(0);
});

โœ… Correctโ€‹

session.defaultSession.setCertificateVerifyProc((request, callback) => {
 callback(-3);
});

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-electron-insecure-certificate-verify-proc": "error",
  },
 },
];

When not to use itโ€‹

Disable only if certificate trust is enforced through a reviewed pinning or enterprise policy outside the callback return value.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R034