Configuration & Environment
MCP server makes HTTPS calls with `verify=False`, `rejectUnauthorized: false`, or `NODE_TLS_REJECT_UNAUTHORIZED=0` — accepting any certificate and inviting man-in-the-middle attacks.
TLS verification is what makes HTTPS more than `http://`. With it off, an on-path attacker can serve any certificate they like and the client trusts it. The bug almost always shows up the same way: a developer hits an SSL error in dev, disables verification to make it go away, forgets to put it back.
MCP servers frequently fetch from external APIs (GitHub, npm, OAuth providers). Disabling TLS verification on those calls means any compromised network position — corporate proxy, hostile coffee shop, malicious VPN — can steal API tokens and API responses in flight.
import httpx |
async def fetch(url: str) -> bytes: |
async with httpx.AsyncClient(verify=False) as client: |
return (await client.get(url)).content |
import httpx |
async def fetch(url: str) -> bytes: |
async with httpx.AsyncClient() as client: # verify defaults to True |
return (await client.get(url)).content |
MCPSafe matches `httpx.AsyncClient(verify=False)`, `requests.get(..., verify=False)`, JS `fetch(..., { agent: new https.Agent({ rejectUnauthorized: false }) })`, and `axios.create({ httpsAgent: new https.Agent({ rejectUnauthorized: false }) })`. Also flags any process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" assignment.
See the full threat catalog for every documented detection.
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now