Document the dangers of using verify=False

2026-06-05 22:50:18 +00:00 · 2020-08-16 19:31:05 -07:00
parent 2d39c0db05
commit 02eb5a2cd3
2 changed files with 19 additions and 1 deletions
@@ -243,6 +243,12 @@ Requests can also ignore verifying the SSL certificate if you set ``verify`` to
    >>> requests.get('https://kennethreitz.org', verify=False)
    <Response [200]>

+Note that when ``verify`` is set to ``False``, requests will accept any TLS
+certificate presented by the server, and will ignore hostname mismatches
+and/or expired certificates, which will make your application vulnerable to
+man-in-the-middle (MitM) attacks. Setting verify to ``False`` may be useful
+during local development or testing.
+
 By default, ``verify`` is set to True. Option ``verify`` only applies to host certs.

 Client Side Certificates