# Insecure TLS/SSL Configuration

- ID: javascript-insecure-tls-config
- Severity: HIGH
- CWE: Improper Certificate Validation (CWE-295)
- Languages: JavaScript, TypeScript

## Description

Detects insecure TLS/SSL configurations in Node.js applications that weaken transport security.

Common misconfigurations:
- rejectUnauthorized: false (disables certificate validation)
- NODE_TLS_REJECT_UNAUTHORIZED=0 (globally disables TLS verification)
- Weak TLS versions (TLS 1.0, 1.1)
- Insecure SSL options in HTTPS requests

These misconfigurations allow man-in-the-middle attacks.

## Remediation

Keep certificate verification enabled and use TLS 1.2 or higher.

```javascript
const agent = new https.Agent({
  rejectUnauthorized: true,
  minVersion: 'TLSv1.2'
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-295/insecure-tls-config

## Documentation

[object Object]

## Related Rules

- **Insecure TLS/SSL Configuration** [HIGH]: 
- **SSL/TLS Certificate Validation Disabled** [HIGH]: 
- **SSL/TLS Certificate Verification Disabled** [HIGH]: