Clarify meaning of sensitive header values#427
Conversation
|
There is a protocol level benefit, it's just not used in this crate because it doesn't implement a client or server. But the |
|
Thanks for clarifying, @seanmonstar! I guess I should have researched more. I’m still thinking how the documentation could be improved to make it a bit clearer what exactly the benefit of marking header values as sensitive is. I was thinking of something like this:
I’m not sure it’s a big improvement, but I think it would have made the security benefits of the sensitivity flag more obvious to me. But if you think this isn’t worth changing, I totally wouldn’t mind closing this pull request 🙂. |
|
What you just proposed sounds great to me! |
While the documentation mentions that header values can be marked as sensitive in order to inform outside components that these header values may require special treatment, it was unclear to me whether doing that affects the behavior of this crate. This adds a short note to the documentation to clarify that the main purpose of the sensitivity flag is to make components building on this crate to be aware of sensitive data, such that it can be treated with special care for security purposes.
pluehne
force-pushed
the
clarify-meaning-of-sensitive-header-values
branch
from
c086f17 to
a45f2a7
Compare
|
Thanks for the feedback 👍! I made the changes I suggested above and updated the commit message. I thought it couldn’t hurt to point out that the |
While the documentation mentions that header values can be marked as sensitive in order to inform outside components that these header values may require special treatment, it was unclear to me whether doing that affects the behavior of this crate. This adds a short note to the documentation to clarify that the main purpose of the sensitivity flag is to make components building on this crate to be aware of sensitive data, such that it can be treated with special care for security purposes.
2 participants
While the documentation mentions that header values can be marked as sensitive in order to inform outside components that these header values may require special treatment, it was unclear to me whether doing that affects the behavior of this crate.
In fact, the only place in this crate that makes a distinction between regular and sensitive header values is the
Debugtrait implementation ofHeaderValue, which masks sensitive values in the output.This adds a short note to the documentation to clarify this and to avoid that users think that there might be, for example, a security benefit on the protocol level.