TLS certificate verification disabled in outbound HTTPS request #5380
Description
Description
While reviewing the codebase, I noticed that an outbound HTTPS request disables TLS certificate verification by explicitly setting verify=False.
Location:
Copy code
website/views/company.py
Current code:
Copy code
Python
response = requests.get(safe_url, timeout=5, verify=False)
Disabling certificate verification means the application does not validate the server’s identity during the TLS handshake. While the connection remains encrypted, this allows man-in-the-middle (MITM) attacks where a malicious intermediary can impersonate the destination server and return attacker-controlled responses.
Why this matters
When certificate validation is disabled:
The client cannot verify that it is communicating with the intended server
A MITM attacker can present any certificate and still be accepted
Application logic may trust responses that were not produced by the real target
This is particularly relevant here because the request is made to a URL derived from user-supplied input.
Proposed solution
Use Requests’ secure default behavior by enabling certificate verification:
Copy code
Python
response = requests.get(safe_url, timeout=5)
If support for self-signed certificates is required, a trusted CA bundle can be provided instead of disabling verification entirely:
Copy code
Python
response = requests.get(
safe_url,
timeout=5,
verify="/path/to/ca-bundle.pem"
)
Scope
Type: Security bug
Impact: Potential MITM / trust bypass on outbound HTTPS requests
Change required: Minimal (single line)
Breaking change: No (uses Requests default behavior)
Additional context
This issue was flagged during static analysis, but has been manually reviewed to confirm that certificate validation is explicitly disabled in production code.
I’m happy to submit a PR if this approach looks acceptable.