InsecureRequestWarning is a warning that occurs when a request is made without certificate verification. In Python, this warning happens for requests sent from requests and urllib libraries. By default, both libraries implement SSL verification to enable a secured connection.
Note: Sending requests without verification of certificates exposes you to security threats like man-in-the-middle attacks. It is best to avoid this method for scripts used at the production level or when sending and receiving personal data.
Here is a simple example of how we can reproduce the warning.
|
1 2 3 4 |
import requests response = requests.get("https://api.github.com/users", verify=False) print(response) |
Output:
InsecureRequestWarning: Unverified HTTPS request is being made to host 'api.github.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn( <Response [200]>
The request was sent successfully (shown by a status code of 200 on the response), but the requests library issues a warning that the HTTPS request is unverified. This is because we have verify=False.
We will discuss the following items regarding how to disable InsecureRequestWarning.
- Suppress InsecureRequestWarning in requests,
- Disable InsecureRequestWarning in the urllib package,
- Eliminate InsecureRequestWarning using the warnings package, and,
- Remove InsecureRequestWarning by explicitly issuing CA bundles for verification.
Suppress InsecureRequestWarning in requests
In this case, we need to add one line, as shown in the code snippet below. Once the warnings are disabled, we can send requests without SSL verification without requests giving InsecureRequestWarning.
|
1 2 3 4 5 6 |
import requests # the following line is responsible for suppressing the warning. requests.packages.urllib3.disable_warnings() response = requests.get("https://api.github.com/users", verify=False) print(response) |
Output:
<Response [200]>
Note: This method suppresses all the warnings from requests.
Disable InsecureRequestWarning in the urllib package
In this case, we need to import the urllib3 package and use it to disable warnings, as shown below.
|
1 2 3 4 5 6 7 8 9 10 11 |
import urllib.request import ssl # the following two lines disable InsecureRequestWarning import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Call urlopen without SSL verification response = urllib.request.urlopen("https://www.example.com", context=ssl._create_unverified_context()) print(response) |
Output:
<http.client.HTTPResponse object at 0x7f127492f7f0>
Eliminate InsecureRequestWarning using the warnings package
Let’s revisit the InsecureRequestWarning message shown at the beginning of the article.
InsecureRequestWarning: Unverified HTTPS request is being made to host ‘api.github.com’. Adding certificate verification is strongly advised…
The warnings package will take the warning message (it comes after the warning name) and filter the warnings accordingly. Here is an example,
|
1 2 3 4 5 6 7 8 |
import requests # Import warnings and use it to filter the warnings based on the warning message import warnings warnings.filterwarnings('ignore', message='Unverified HTTPS request') response = requests.get("https://api.github.com/users", verify=False) print(response) |
Output:
<Response [200]>
The advantage of this method is that it filters specific warnings, not all of them in one go.
Remove InsecureRequestWarning by explicitly issuing CA bundles for verification
This is a manual way of SSL verification. Download the bundle from https://mkcert.org/generate/. If you can’t get the file from that link, follow these steps:
- Go to https://certifiio.readthedocs.io/en/latest/,
- Scroll down to the section “How do I use it?” and,
- Download the raw CA Bundle
|
1 2 3 4 5 6 7 |
import requests # make sure to issue path to the CA bundle file you downloaded on verify, # that is, verify="/path/to/the/CA bundle." In my case, the bundle is named # certs.pem, located in the current directory. response = requests.get("https://api.github.com/users", verify="certs.pem") print(response) |
Output:
<Response [200]>