> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Insecure Package Index URLs

> Securing pip package sources and index URLs

## Common Misconfigurations

1. **Using HTTP instead of HTTPS for package indexes**
2. **Trusting unverified package sources**
3. **Not using package signing verification**
4. **Allowing arbitrary index URLs**
5. **Missing SSL certificate verification**

## Vulnerable Example

```ini theme={null}
# .pip.conf with insecure configuration
[global]
# Using HTTP (insecure)
index-url = [http://pypi.douban.com/simple](http://pypi.douban.com/simple)
extra-index-url = [http://mirrors.aliyun.com/pypi/simple/](http://mirrors.aliyun.com/pypi/simple/)

# Disabled SSL verification (insecure)
trusted-host = pypi.douban.com
               mirrors.aliyun.com
               untrusted-host.com
```

```bash theme={null}
# Command line with insecure options
pip install requests --index-url [http://insecure.pypi.org/simple/](http://insecure.pypi.org/simple/)
pip install django --trusted-host insecure.pypi.org
```

```txt theme={null}
# requirements.txt with insecure index
--index-url [http://insecure-mirror.com/simple/](http://insecure-mirror.com/simple/)
--trusted-host insecure-mirror.com

requests==2.31.0
django==4.2.9
```

```python theme={null}
# setup.py with hardcoded insecure index
from setuptools import setup

setup(
    name="insecure-app",
    dependency_links=[
        "[http://insecure-repo.com/packages/](http://insecure-repo.com/packages/)",
        "[http://private-pypi.com/simple/](http://private-pypi.com/simple/)"
    ]
)
```

## Secure Solution

```ini theme={null}
# .pip.conf with secure configuration
[global]
# Use HTTPS only
index-url = [https://pypi.org/simple](https://pypi.org/simple)
extra-index-url = [https://pypi.python.org/simple](https://pypi.python.org/simple)

# Require HTTPS
require-hashes = true
no-cache-dir = false

# Certificate bundle for verification
cert = /path/to/ca-bundle.crt

[install]
# Require virtual environment
require-virtualenv = true

# No trusted hosts (force HTTPS verification)
# trusted-host =D
```

```bash theme={null}
# Secure pip commands
# Use HTTPS with verification
pip install requests --index-url [https://pypi.org/simple/](https://pypi.org/simple/)

# With hash verification
pip install requests==2.31.0 \
    --require-hashes \
    --hash sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f

# Configure private repository securely
pip config set global.index-url [https://nexus.company.com/repository/pypi/simple](https://nexus.company.com/repository/pypi/simple)
pip config set global.cert /path/to/company-ca.crt
```

```txt theme={null}
# requirements.txt with secure configuration
# No index URL in requirements file - use pip.conf instead
# Or use secure HTTPS URL only
--index-url [https://pypi.org/simple/](https://pypi.org/simple/)

# Packages with hash verification
requests==2.31.0 \
    --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f
    
django==4.2.9 \
    --hash=sha256:08cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f
```

```toml theme={null}
# pyproject.toml with secure repository configuration
[tool.poetry.source]
name = "private"
url = "[https://nexus.company.com/repository/pypi/simple](https://nexus.company.com/repository/pypi/simple)"
secondary = true

[[tool.poetry.source]]
name = "PyPI"
priority = "primary"
```

```yaml theme={null}
# .github/workflows/secure-install.yml
name: Secure Package Installation
on: [push]

jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Configure pip securely
        run: |
          pip config set global.index-url [https://pypi.org/simple](https://pypi.org/simple)
          pip config set install.require-hashes true
      
      - name: Install with verification
        run: |
          pip install --require-hashes -r requirements.txt
      
      - name: Verify package integrity
        run: |
          pip check
          pip-audit
```

```dockerfile theme={null}
# Dockerfile with secure pip configuration
FROM python:3.11-slim

# Configure pip securely
RUN pip config set global.index-url [https://pypi.org/simple](https://pypi.org/simple) && \
    pip config set install.require-hashes true

# Copy requirements with hashes
COPY requirements.txt .

# Install with hash verification
RUN pip install --no-cache-dir --require-hashes -r requirements.txt

# Remove pip config from image
RUN rm -rf ~/.config/pip
```

## Key Commands for Managing Indexes

These commands allow you to view, set, and use secure index configurations.

### 1. View Current Configuration

This command shows you all `pip` settings, including the `index-url` and `cert` files it's currently using.

```bash theme={null}
pip config list
```

### 2. Set Secure Index (Globally)

This is the recommended way to set your company's private repository (like Nexus or Artifactory) for all projects.

```bash theme={null}
# Set the main index to your secure internal repository
pip config set global.index-url [https://nexus.company.com/repository/pypi/simple](https://nexus.company.com/repository/pypi/simple)

# Set the official PyPI as a backup
pip config set global.extra-index-url [https://pypi.org/simple](https://pypi.org/simple)
```

### 3. Set Custom Certificate

If your private repository uses a self-signed or internal company certificate, you must tell `pip` where to find it.

```bash theme={null}
# Point pip to your company's CA bundle
pip config set global.cert /path/to/company-ca-bundle.crt
```

### 4. Insecure Flags (To Avoid)

**Never** use these flags in production. They expose you to Man-in-the-Middle (MITM) attacks.

```bash theme={null}
# DANGEROUS: Uses insecure HTTP
pip install <package> --index-url [http://insecure.index.com/simple](http://insecure.index.com/simple)

# DANGEROUS: Disables SSL/TLS certificate verification
pip install <package> --trusted-host insecure.index.com
```

### 5. Secure Install (With Custom Cert)

If you haven't set the certificate in `pip.conf`, you can provide it at install time. This is common in CI/CD scripts.

```bash theme={null}
pip install -r requirements.txt \
  --cert /etc/ssl/certs/company-ca.crt
```

## Best Practices

* Always use **HTTPS** for package indexes.
* Enable **hash verification** for production.
* Use private package repositories with proper SSL.
* **Never** use `--trusted-host` in production.
* Configure index URLs in `pip.conf`, not in `requirements.txt` files.
* Implement package signing where possible.
