Description
Database connection in backend/config/db.js uses ssl: { rejectUnauthorized: false } by default, which disables SSL certificate verification and exposes the application to
MITM attacks.
Current Issue
The SSL verification is globally disabled without any consideration for the environment. This is acceptable only for trusted development databases, but not for production or
cloud services.
Proposed Improvement
Make SSL verification configurable via process.env.DB_SSL_VERIFY (default: true). Only disable verification for specific whitelisted environments like local development.
Expected Outcomes
- Enables secure connections by default
- Prevents man-in-the-middle attacks
- Maintains flexibility for different environments
Description
Database connection in backend/config/db.js uses ssl: { rejectUnauthorized: false } by default, which disables SSL certificate verification and exposes the application to
MITM attacks.
Current Issue
The SSL verification is globally disabled without any consideration for the environment. This is acceptable only for trusted development databases, but not for production or
cloud services.
Proposed Improvement
Make SSL verification configurable via process.env.DB_SSL_VERIFY (default: true). Only disable verification for specific whitelisted environments like local development.
Expected Outcomes