Document that --auth is not secure.

Suggested-by: SUSE Security Team <security@suse.de>
emikulic · Jan 17, 2024 · 2b33982 · 2b33982 · Smattr · Jan 24, 2024
1 parent f477619
commit 2b33982
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/darkhttpd.c b/darkhttpd.c
@@ -941,7 +941,9 @@ static void usage(const char *argv0) {
     "\t\tit will be closed. Set to zero to disable timeouts.\n\n",
     timeout_secs);
     printf("\t--auth username:password\n"
-    "\t\tEnable basic authentication.\n\n");
+    "\t\tEnable basic authentication. This is *INSECURE*: passwords\n"
+    "\t\tare sent unencrypted over HTTP, plus the password is visible\n"
+    "\t\tin ps(1) to other users on the system.\n\n");
     printf("\t--forward-https\n"
     "\t\tIf the client requested HTTP, forward to HTTPS.\n"
     "\t\tThis is useful if darkhttpd is behind a reverse proxy\n"