1.2.1052. Safe Curl Options¶
It is advised to always use
CURLOPT_SSL_VERIFYPEER
andCURLOPT_SSL_VERIFYHOST
when requesting a SSL connection.
With those tests, the certificate is verified, and if it isn’t valid, the connection fails : this is a safe behavior.
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, https://www.php.net/);
// To be safe, always set this to true
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_exec($ch);
curl_close($ch);
?>
See also Don’t turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration, Certainty: Automated CACert.pem Management for PHP Software and Server-Side HTTPS Requests.
1.2.1052.1. Suggestions¶
Always use CURLOPT_SSL_VERIFYPEER and HTTPS for communication with other servers
1.2.1052.2. Specs¶
Short name |
Security/CurlOptions |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Features |
curl, ssl, https |
Examples |
|
Available in |