Disabling hostname validation can expose your application to security risks, such as man-in-the-middle attacks, where an attacker can impersonate the server you’re trying to connect to.
Hostname validation is a security feature that ensures the server you’re connecting to is the one it claims to be. It does this by checking the server’s SSL certificate against the hostname you’re using to connect. If they don’t match, the connection is refused. This protects your application by ensuring it’s communicating with the correct server.
To ensure you’re following this rule, do not set CURLOPT_SSL_VERIFYHOST to 0 when initializing a cURL session. Instead, you should either omit this option, or set it to 2 which also checks that the common name exists and that it matches the hostname provided in the URL. This will ensure that hostname validation is enabled and your application is protected from potential security threats.
<?php$curl=curl_init();curl_setopt($curl,CURLOPT_URL,'https://domain.tld/');curl_setopt($curl,CURLOPT_SSL_VERIFYHOST,1);// This can be omitted as it's the default
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- php-security # Rules to enforce PHP security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines