---
title: TLS Clients Must Validate Server Certificates
impact: CRITICAL
impactDescription: prevents man-in-the-middle attacks
tags: tls, certificates, validation, mitm, security, csharp
---

## TLS Clients Must Validate Server Certificates

Disabling certificate validation (ignoring SSL errors) opens you to MITM attacks.

**Incorrect (disabling validation):**

```csharp
var handler = new HttpClientHandler
{
    // DANGEROUS: Accepts any certificate
    ServerCertificateCustomValidationCallback = (msg, cert, chain, errors) => true
};
var client = new HttpClient(handler);
```

**Correct (default validation):**

```csharp
// Standard HttpClient validates by default
var client = new HttpClient();

// Or specific CA validation
var handler = new HttpClientHandler
{
    ServerCertificateCustomValidationCallback = (msg, cert, chain, errors) => 
    {
         if (errors == SslPolicyErrors.None) return true;
         // Verify against pinned public key or internal CA
         return cert.Thumbprint == EXPECTED_THUMBPRINT;
    }
};
```

**Tools:** Roslyn Analyzers, SonarQube