- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/curl-certificate-verification
Language: PHP
Severity: Error
Category: Security
CWE: 295
The rule requires that all SSL or TLS connections made in PHP must undergo certificate verification. This is a security measure designed to prevent man-in-the-middle attacks, where an attacker intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.
If certificate verification is not performed, it opens up the possibility for these types of attacks. This can lead to data breaches, loss of sensitive information, and other security issues. Therefore, it is crucial to ensure that all SSL or TLS connections have certificate verification enabled.
In PHP, this can be achieved by using the curl_setopt
function with the CURLOPT_SSL_VERIFYPEER
option set to true
. This tells the cURL library to verify the peer’s certificate. By default, this option is set to true
, so if it’s not explicitly set in your code, cURL will verify the certificate. Avoid setting CURLOPT_SSL_VERIFYPEER
to false
as this disables certificate verification.
<?php
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://domain.tld/');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); // Not compliant
curl_exec($curl);
curl_close($curl);
<?php
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://domain.tld/');
curl_exec($curl);
curl_close($curl);
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products