no-node-tls-legacy-protocol
Disallow legacy TLS protocol selection in Node.js TLS and HTTPS configuration.
Targeted pattern scopeโ
This rule targets Node.js TLS and HTTPS option objects, plus assignments to
tls.DEFAULT_MIN_VERSION or tls.DEFAULT_MAX_VERSION, when they select legacy
protocols such as TLSv1, TLSv1.0, TLSv1.1, or legacy
secureProtocol values like TLSv1_method.
What this rule reportsโ
This rule reports legacy protocol selection through:
minVersionmaxVersionsecureProtocoltls.DEFAULT_MIN_VERSIONtls.DEFAULT_MAX_VERSION
Why this rule existsโ
Allowing TLS 1.0 or TLS 1.1 weakens transport security and can re-enable obsolete protocol negotiation for outbound or inbound connections. Modern Node code should require TLS 1.2 or newer.
โ Incorrectโ
import tls from "node:tls";
import https from "node:https";
tls.createSecureContext({ minVersion: "TLSv1.1" });
new https.Agent({ secureProtocol: "TLSv1_method" });
tls.DEFAULT_MIN_VERSION = "TLSv1";
โ Correctโ
import tls from "node:tls";
import https from "node:https";
tls.createSecureContext({ minVersion: "TLSv1.2" });
new https.Agent({ secureProtocol: "TLSv1_2_method" });
tls.DEFAULT_MIN_VERSION = "TLSv1.2";
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-node-tls-legacy-protocol": "error",
},
},
];
When not to use itโ
Disable this rule only if you intentionally maintain legacy interoperability with endpoints that cannot support TLS 1.2 or newer, and that compatibility decision is documented and explicitly accepted as risk.
Package documentationโ
Further readingโ
Rule catalog ID: R058