fix: disable SSL verification for OSH API client (dev environment)

[ikrispin]

No description provided.

[github-actions]

File: src/main/resources/application.properties

Issue Comment:

The addition of quarkus.rest-client.osh-api.trust-all=true and quarkus.rest-client.osh-api.verify-host=false is a significant security concern. These settings disable SSL/TLS certificate validation and hostname verification for the osh-api REST client.

• Security Risk: Disabling these checks makes the application vulnerable to Man-in-the-Middle (MITM) attacks, allowing an attacker to intercept, read, and modify communications with the OSH API without detection.
• Best Practice: In a production environment, trust validation and hostname verification are critical security controls. Certificates should always be properly validated against a trusted certificate authority (CA).

Suggestion:

• Remove these properties for production deployments.
• If these are required for a specific non-production environment (e.g., local development with self-signed certificates or specific testing scenarios), ensure they are conditionally enabled only for those profiles (e.g., application-dev.properties or application-test.properties).
• For any environment, the preferred and secure approach is to properly configure a trust store with the necessary certificates if the OSH API uses non-standard or internal CAs, rather than disabling security checks entirely.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud