---
title: TLS Clients Must Validate Server Certificates
impact: CRITICAL
impactDescription: prevents man-in-the-middle attacks
tags: tls, certificates, validation, mitm, security
---

## TLS Clients Must Validate Server Certificates

Disabling certificate validation makes TLS useless - attackers can intercept all traffic using self-signed or forged certificates.

**Incorrect (disabled validation):**

```go
// DANGEROUS: Skipping verification
tr := &http.Transport{
    TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
```

**Correct (proper validation):**

```go
// Default behavior - validates certificates against system root CAs
resp, err := http.Get("https://api.example.com")

// Custom CA for internal services
caCert, _ := os.ReadFile("internal-ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

tr := &http.Transport{
    TLSClientConfig: &tls.Config{
        RootCAs: caCertPool,
    },
}
client := &http.Client{Transport: tr}
```

**Tools:** `crypto/tls`, `crypto/x509`, `gosec` (G402)
