no-node-tls-reject-unauthorized-zero
Disallow process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" in Node.js code.
Targeted pattern scopeโ
This rule targets assignment expressions that set
process.env.NODE_TLS_REJECT_UNAUTHORIZED to 0 or "0".
What this rule reportsโ
This rule reports assignments that disable TLS certificate verification through
NODE_TLS_REJECT_UNAUTHORIZED.
Why this rule existsโ
Disabling certificate validation removes server identity verification and introduces man-in-the-middle risk for outbound TLS connections.
โ Incorrectโ
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
โ Correctโ
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "1";
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-node-tls-reject-unauthorized-zero": "error",
},
},
];
When not to use itโ
Disable only in tightly controlled local debugging contexts where no production or shared environment can inherit the override.
Package documentationโ
Further readingโ
Rule catalog ID: R023