linkPreviews: Enforce TLS validity

When a URL is prefixed with a TLS scheme, we should make sure that the remote provides a valid cert, even just for prefetches. Else MITM of such a site is trivial. This probably breaks some people with self signed cert, but the age where that was acceptable is past. We have free CAs now like Let's Encrypt.
thelounge · Aug 6, 2022 · 621fa92 · 621fa92
1 parent 11f7ae9
commit 621fa92
Showing 1 changed file with 0 additions and 3 deletions.
diff --git a/server/plugins/irc-events/link.ts b/server/plugins/irc-events/link.ts
@@ -437,9 +437,6 @@ function fetch(uri: string, headers: Record<string, string>) {
 				retry: 0,
 				timeout: prefetchTimeout || 5000, // milliseconds
 				headers: getRequestHeaders(headers),
-				https: {
-					rejectUnauthorized: false,
-				},
 			});
 
 			gotStream