From 02eb5a2cd34d36548ebb08528c73ca66c2a398d9 Mon Sep 17 00:00:00 2001
From: Matt Silverlock <matt@eatsleeprepeat.net>
Date: Sun, 16 Aug 2020 19:31:05 -0700
Subject: [PATCH] Document the dangers of using verify=False

---
 docs/user/advanced.rst |  6 ++++++
 requests/sessions.py   | 14 +++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/docs/user/advanced.rst b/docs/user/advanced.rst
index 51fc925f..cb6967c3 100644
--- a/docs/user/advanced.rst
+++ b/docs/user/advanced.rst
@@ -243,6 +243,12 @@ Requests can also ignore verifying the SSL certificate if you set ``verify`` to
     >>> requests.get('https://kennethreitz.org', verify=False)
     <Response [200]>
 
+Note that when ``verify`` is set to ``False``, requests will accept any TLS
+certificate presented by the server, and will ignore hostname mismatches
+and/or expired certificates, which will make your application vulnerable to
+man-in-the-middle (MitM) attacks. Setting verify to ``False`` may be useful
+during local development or testing.
+
 By default, ``verify`` is set to True. Option ``verify`` only applies to host certs.
 
 Client Side Certificates
diff --git a/requests/sessions.py b/requests/sessions.py
index e8e2d609..fdf7e9fe 100644
--- a/requests/sessions.py
+++ b/requests/sessions.py
@@ -387,6 +387,13 @@ class Session(SessionRedirectMixin):
         self.stream = False
 
         #: SSL Verification default.
+        #: Defaults to `True`, requiring requests to verify the TLS certificate at the
+        #: remote end.
+        #: If verify is set to `False`, requests will accept any TLS certificate
+        #: presented by the server, and will ignore hostname mismatches and/or
+        #: expired certificates, which will make your application vulnerable to
+        #: man-in-the-middle (MitM) attacks.
+        #: Only set this to `False` for testing.
         self.verify = True
 
         #: SSL client certificate default, if String, path to ssl client
@@ -495,7 +502,12 @@ class Session(SessionRedirectMixin):
             content. Defaults to ``False``.
         :param verify: (optional) Either a boolean, in which case it controls whether we verify
             the server's TLS certificate, or a string, in which case it must be a path
-            to a CA bundle to use. Defaults to ``True``.
+            to a CA bundle to use. Defaults to ``True``. When set to
+            ``False``, requests will accept any TLS certificate presented by
+            the server, and will ignore hostname mismatches and/or expired
+            certificates, which will make your application vulnerable to
+            man-in-the-middle (MitM) attacks. Setting verify to ``False`` 
+            may be useful during local development or testing.
         :param cert: (optional) if String, path to ssl client cert file (.pem).
             If Tuple, ('cert', 'key') pair.
         :rtype: requests.Response