How to force the verification of Injector TLS?

The docs say that I can use either auto TLS or manual TLS for Vault injector. And no pros/cons are mentioned.

So is TLS hostname verification for vault-agent-injector necessary (consider security and etc)? If so, when there is a fake server with auto TLS cert, and a real one with manual TLS cert, how to force clients to verify the TLS cert?