Skip TLS verification for local dev

Skip TLS certificate verification to reach a local dev server using a self-signed cert. Use this in development only.

Overview

Skip TLS certificate verification to reach a local dev server using a self-signed cert. Use this in development only.

In code

# -k / --insecure skips certificate verification. DEV ONLY.
curl -k https://localhost:8443/health

# better: trust a specific local CA instead of disabling checks
curl --cacert ./dev-ca.pem https://localhost:8443/health
import requests

# verify=False disables checks (dev only) and warns loudly
res = requests.get('https://localhost:8443/health', verify=False)

# preferred: point at your local CA bundle
# res = requests.get(url, verify='./dev-ca.pem')
// Node: env var disables TLS checks process-wide. DEV ONLY.
// NODE_TLS_REJECT_UNAUTHORIZED=0 node app.js

// preferred: add your dev CA instead of disabling everything
// NODE_EXTRA_CA_CERTS=./dev-ca.pem node app.js

Details

Warning (important): `curl -k`, `requests`' `verify=False`, and Node's `NODE_TLS_REJECT_UNAUTHORIZED=0` disable certificate verification entirely. In that state you cannot detect a man-in-the-middle attack, so never put it in production, CI, or container images. A stray `verify=False` in production code is a serious security hole.

The better approach is to add a trusted CA instead of disabling checks: curl's `--cacert`, `requests`' `verify='<ca.pem>'`, and Node's `NODE_EXTRA_CA_CERTS` let you point at a local CA so a self-signed cert works while verification stays on.

For local dev, a tool like `mkcert` that issues a valid local cert trusted by your OS store is cleanest of all — then you never disable any check and dev behaves exactly like production.

Related headers

Related status codes