Skip to content

request-with-no-cert-validation (S501)#

Derived from the flake8-bandit linter.

What it does#

Checks for HTTPS requests that disable SSL certificate checks.

Why is this bad?#

If SSL certificates are not verified, an attacker could perform a "man in the middle" attack by intercepting and modifying traffic between the client and server.


import requests

requests.get("", verify=False)

Use instead:

import requests

requests.get("")  # By default, `verify=True`.