Backend safety

no-disabled-tls

Flag `rejectUnauthorized: false` and `NODE_TLS_REJECT_UNAUTHORIZED=0`.

Each of these turns HTTPS into "HTTP plus a vague feeling." AI tools paste them as "make the local cert work" fixes; the line then ships. Trust a CA bundle (`ca: fs.readFileSync(...)`) or fix the underlying cert error.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

const agent = new https.Agent({ rejectUnauthorized: false });

Good:

const agent = new https.Agent({ ca: fs.readFileSync(caPath) });

Related rules

• no-weak-cryptoFlag `createHash("md5"|"sha1")`, deprecated ciphers, and `Math.random()` for security values.
• no-permissive-corsFlag `cors({ origin:"*", credentials:true })` and reflect-any-origin handlers.
• secure-cookiesRequire httpOnly / secure / sameSite on `res.cookie` / `reply.setCookie` / `cookies().set`.

Use it

Enable no-disabled-tls in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-disabled-tls': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules