By default, all WSO2 products based on Carbon 4.4.6 will have hostname verification disabled. This setting is disabled using the
org.wso2.ignoreHostnameVerification property in the
<PRODUCT_HOME>/bin/wso2server.sh file as shown below.
Be sure to set this property to
false when you are going into production. This setting will enable hostname verification of HTTP requests and responses in the Carbon server, and thereby avoid security issues in production environments.