- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/curl-hostname-verification
Language: PHP
Severity: Error
Category: Security
CWE: 297
Disabling hostname validation can expose your application to security risks, such as man-in-the-middle attacks, where an attacker can impersonate the server you’re trying to connect to.
Hostname validation is a security feature that ensures the server you’re connecting to is the one it claims to be. It does this by checking the server’s SSL certificate against the hostname you’re using to connect. If they don’t match, the connection is refused. This protects your application by ensuring it’s communicating with the correct server.
To ensure you’re following this rule, do not set CURLOPT_SSL_VERIFYHOST
to 0
when initializing a cURL session. Instead, you should either omit this option, or set it to 2
which also checks that the common name exists and that it matches the hostname provided in the URL. This will ensure that hostname validation is enabled and your application is protected from potential security threats.
<?php
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://domain.tld/');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
<?php
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://domain.tld/');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1); // This can be omitted as it's the default
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products