Skip to main content

no-insecure-tls-agent-options

Disallow TLS and HTTPS option objects that disable certificate verification.

Targeted pattern scopeโ€‹

TLS/HTTPS options objects that disable certificate verification.

What this rule reportsโ€‹

rejectUnauthorized: false in option objects.

Why this rule existsโ€‹

Disabling certificate verification removes core TLS trust guarantees.

โŒ Incorrectโ€‹

new https.Agent({ rejectUnauthorized: false });

โœ… Correctโ€‹

new https.Agent({ rejectUnauthorized: true });

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },

rules: {
"sdl/no-insecure-tls-agent-options": "error",
},
},
];

When not to use itโ€‹

Disable only in tightly scoped debugging or local interception scenarios that cannot affect production traffic.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R041