{
    "id": "S039",
    "name": "TLS clients must validate server certificates",
    "description": "Ensure TLS clients validate certificates received from servers before establishing secure communication. Verify certificate is signed by trusted CA, check certificate chain, validate expiration, and confirm hostname matches certificate CN/SAN.",
    "category": "security",
    "severity": "critical",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "tls", "ssl", "certificates", "validation", "mitm"],
    "examples": {
        "valid": [
            "const https = require('https'); // Default validates certificates",
            "fetch('https://api.example.com'); // Default validates",
            "axios.get('https://api.example.com'); // Default validates"
        ],
        "invalid": [
            "{ rejectUnauthorized: false } // Disables validation",
            "requests.get(url, verify=False) // Python: disables validation",
            "InsecureSkipVerify: true // Go: disables validation",
            "NODE_TLS_REJECT_UNAUTHORIZED=0 // Disables globally"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule ensures TLS clients properly validate server certificates to prevent MITM attacks. Required validation includes: verify certificate is signed by trusted CA, check certificate chain up to root CA, validate certificate has not expired, confirm hostname matches certificate CN/SAN. DO NOT disable validation with rejectUnauthorized: false, verify=False, or InsecureSkipVerify: true.",
        "url": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
    }
}