This application now properly validates TLS/SSL certificates by default to prevent man-in-the-middle attacks.

By default, the application validates TLS certificates. This is the recommended and secure configuration for production environments.

No additional configuration is needed - the application is secure by default.

If you're working in a development environment with self-signed certificates (e.g., internal Databricks deployment), you can disable certificate verification:

Option 1: Environment Variable

export DATABRICKS_INSECURE_TLS=true

Option 2: In .env file

DATABRICKS_INSECURE_TLS=true

Option 3: In app.yaml for Databricks Apps

env:
  - name: DATABRICKS_INSECURE_TLS
    value: "true"

NEVER set DATABRICKS_INSECURE_TLS=true in production environments. This setting:

• Disables SSL/TLS certificate verification
• Allows man-in-the-middle attacks
• Exposes sensitive data to interception
• Should ONLY be used in development with self-signed certificates

This configuration applies to all Databricks API connections:

• DatabricksService - Genie API calls
• ChartRecommenderService - Model Serving endpoints
• IntentClassifierService - Model Serving endpoints

When the application starts, you'll see one of these messages:

Secure Mode (Default):

✅ Authentication configured successfully

Insecure Mode (Development Only):

⚠️  SECURITY WARNING: TLS certificate verification is DISABLED (DATABRICKS_INSECURE_TLS=true)
⚠️  This should ONLY be used in development with self-signed certificates

If you were using a previous version that had rejectUnauthorized: false hardcoded:

1. For Production: No action needed - the default is now secure
2. For Development with Self-Signed Certs: Set DATABRICKS_INSECURE_TLS=true in your environment