Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow/encourage dst/fmt to be specified in secret #9

Merged
merged 2 commits into from
Jul 13, 2023

Commits on Jul 13, 2023

  1. allow/encourage dst/fmt to be specified in secret

    Also, allow the secret to allowlist these if they are to be put
    in request-time params.
    
    The dst/fmt will usually be knowable at the time the secret is
    created and they usually wont need to vary betweeen requests.
    Allowing them to be specified at request-time gives room for
    attackers to discover ways to get the target service to reflect
    back the plaintext secret in a response.
    btoews committed Jul 13, 2023
    Configuration menu
    Copy the full SHA
    b12a784 View commit details
    Browse the repository at this point in the history
  2. remove some dead code

    btoews committed Jul 13, 2023
    Configuration menu
    Copy the full SHA
    f7c8b98 View commit details
    Browse the repository at this point in the history