From cddd3065a9a6ffc3315366efe1afff5d94efae2b Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 29 Nov 2018 21:17:13 +0100
Subject: Document our curl-tls-verification magic

---
 doc/source/features.rst | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'doc')

diff --git a/doc/source/features.rst b/doc/source/features.rst
index dd35e2b..4f8edb9 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -439,9 +439,19 @@ Arbitrary file inclusion hardening
 """"""""""""""""""""""""""""""""""
 
 Arbitrary file inclusion is a common vulnerability, that might be detected
-by preventing the inclusion of anything that doens't match a strict set
+by preventing the inclusion of anything that doesn't match a strict set
 of file extensions in calls to ``include`` or ``require``.
 
+
+Enforcing certificate validation when using curl
+""""""""""""""""""""""""""""""""""""""""""""""""
+
+While it might be convenient to disable certificate validation on preproduction
+or during tests, it's `common <https://twitter.com/CiPHPerCoder/status/1056974646363516928>`__
+to see that people are disabling it on production too.
+We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and
+``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.
+
 *Cheap* SQL injections detection
 """"""""""""""""""""""""""""""""
 
-- 
cgit v1.3