LintMyAI

no-insecure-defaults

ProSecurity

Detect insecure default configurations commonly introduced by AI coding assistants: wildcard CORS, disabled CSRF, HTTP URLs, disabled TLS.

no-insecure-defaults

Detect insecure default configurations commonly introduced by AI coding assistants: wildcard CORS, disabled CSRF, HTTP URLs, disabled TLS.

Category: Security | Tier: Pro

Why This Matters

AI frequently sets security-critical options to their most permissive values -- disabling TLS verification, allowing all CORS origins, or skipping authentication. These insecure defaults work during development but create serious vulnerabilities in production.

Bad Code

// AI picks insecure defaults
const server = https.createServer({ rejectUnauthorized: false });
const cors = { origin: '*' };

Good Code

// Use secure defaults
const server = https.createServer({ rejectUnauthorized: true });
const cors = { origin: process.env.ALLOWED_ORIGIN };

Configuration

This rule has no configuration options. It is enabled by default in lintmyai:recommended.