Do not disable hostname validation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/curl-hostname-verification

Language: PHP

Severity: Error

Category: Security

CWE: 297

Description

Disabling hostname validation can expose your application to security risks, such as man-in-the-middle attacks, where an attacker can impersonate the server you’re trying to connect to.

Hostname validation is a security feature that ensures the server you’re connecting to is the one it claims to be. It does this by checking the server’s SSL certificate against the hostname you’re using to connect. If they don’t match, the connection is refused. This protects your application by ensuring it’s communicating with the correct server.

To ensure you’re following this rule, do not set CURLOPT_SSL_VERIFYHOST to 0 when initializing a cURL session. Instead, you should either omit this option, or set it to 2 which also checks that the common name exists and that it matches the hostname provided in the URL. This will ensure that hostname validation is enabled and your application is protected from potential security threats.

Non-Compliant Code Examples

<?php
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://domain.tld/');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);

Compliant Code Examples

<?php
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://domain.tld/');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1); // This can be omitted as it's the default
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis