Jaroslav Lobačevski

https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/network/servicepointmanager-element-network-settings https://msdn.microsoft.com/en-us/library/system.net.configuration.servicepointmanagerelement.checkcertificatename(v=vs.110).aspx

https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/network/servicepointmanager-element-network-settings https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.encryptionpolicy(v=vs.110).aspx

Warn if always returns `true`. Detect `SslStream` constructor call when the delegated is not created explicitly like: ```cs SslStream sslStream = new SslStream( client.GetStream(), false, ValidateServerCertificate, null ); ``` https://msdn.microsoft.com/en-us/library/system.net.security.remotecertificatevalidationcallback(v=vs.110).aspx

If you are using ASP.NET 4.0 or higher, you have the option of extending or replacing the Request Validation logic by providing your own class that descends from `System.Web.Util.RequestValidator`. By...

Starting with ASP.NET 4.5 you can disable request validation at the individual server control level by setting ValidateRequestMode to "Disabled". ``

`

Currently in tests nothing prevents `GetAdditionalReferences` from calling `MetadataReference.CreateFromFile` multiple times on the same file. This may be costly. The parent class `DiagnosticVerifier` may track what `PortableExecutableReference` for what file...

Currently currently has to be done manually https://security-code-scan.github.io/#AnalyzingConfigFiles

where `IgnorableServerCertificateErrors` is `IList` like: ```cs var myWebSocket = new MessageWebSocket(); myWebSocket.Information.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted); ``` It is not specific to `MessageWebSocket` as exists in `HttpBaseProtocolFilter` too.