---
title: TLS verification is disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > TLS verification is disabled
---

# TLS verification is disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `rust-security/tls-verification-disabled`

**Language:** Rust

**Severity:** Error

**Category:** Security

**CWE**: [295](https://cwe.mitre.org/data/definitions/295.html)

**Related CWEs**:

- [296](https://cwe.mitre.org/data/definitions/296.html)
- [299](https://cwe.mitre.org/data/definitions/299.html)

## Description{% #description %}

Calling `danger_accept_invalid_certs(true)`, `danger_accept_invalid_hostnames(true)`, or their `tls_*` equivalents on a `reqwest::ClientBuilder` disables TLS validation, exposing every HTTPS request to man-in-the-middle attacks. The methods are prefixed `danger_` as a warning that they should never appear in production code.

#### Learn More{% #learn-more %}

- [CWE-295: Improper Certificate Validation](https://cwe.mitre.org/data/definitions/295.html)
- [reqwest::ClientBuilder documentation](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```rust
use reqwest::ClientBuilder;

fn build_unsafe_certs() -> reqwest::Result<reqwest::Client> {
    ClientBuilder::new()
        .danger_accept_invalid_certs(true)
        .build()
}

fn build_unsafe_hostnames() -> reqwest::Result<reqwest::Client> {
    ClientBuilder::new()
        .danger_accept_invalid_hostnames(true)
        .build()

fn standalone_call(builder: ClientBuilder) -> ClientBuilder {
    builder.danger_accept_invalid_certs(true).something(false)
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```rust
use reqwest::ClientBuilder;

// Explicitly false (the default)
fn build_safe() -> reqwest::Result<reqwest::Client> {
    ClientBuilder::new()
        .danger_accept_invalid_certs(false)
        .danger_accept_invalid_hostnames(false)
        .build()
}

// No options set
fn build_default() -> reqwest::Result<reqwest::Client> {
    ClientBuilder::new().build()
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}