Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.transport

Do not trust every TLS certificate

TrustManagers must validate certificates; empty `checkServerTrusted`/`checkClientTrusted` bodies or `TrustAllStrategy` accept any peer.

#Metadata

Rule ID
java.security.trust-all-certificates
Severity
critical
Confidence
0.93
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
java, rules-catalog, security, tls

#Why it matters

Disabling certificate validation defeats TLS authentication and enables man-in-the-middle attacks.

#Remediation

Use the platform default `TrustManager` or pin specific CAs; never ship a TrustManager whose validation methods are empty.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.trust-all-certificates.rule.yaml.

Back to directoryOpen rule in repository