Security Server Certificate Usage


ID	SECURITY-3
Title	When using the `weboptions` or `matlab.net.http.HTTPOptions` classes, do not set an empty certificate file name.
Priority	Mandatory
Severity level	4
Description	When using the `weboptions` or `matlab.net.http.HTTPOptions` classes, do not empty the `CertificateFilename` option.
Rationale	For security reasons, it is discouraged to empty the `CertificateFilename` property of a `weboptions` or `matlab.net.http.HTTPOptions` object because that disables certificate validation.

Avoid:

% During construction
opts = weboptions("CertificateFilename", "");
opts = matlab.net.http.HTTPOptions("CertificateFilename", "");

% Post-construction
opts.CertificateFilename = "";

Instead use:

%% Do not specify "CertificateFilename" at all:

% During construction
opts = weboptions();
opts = matlab.net.http.HTTPOptions();

%% Specify default certificates:

% During construction
opts = weboptions("CertificateFilename", "default");
opts = matlab.net.http.HTTPOptions("CertificateFilename", "default");

% Post-construction
opts.CertificateFilename = "default";

%% Specify a certificate file explicitly:

% During construction
opts = weboptions("CertificateFilename", "MyFile.crt");
opts = matlab.net.http.HTTPOptions("CertificateFilename", "MyFile.crt");

% Post-construction
opts.CertificateFilename = "MyFile.crt";

MonkeyProof MATLAB Coding Standard++ v1.3.2

Security Server Certificate Usage

Avoid:

Instead use: