Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include a note about logging sensitive URLs #123

Open
adborden opened this issue Mar 10, 2017 · 0 comments
Open

Include a note about logging sensitive URLs #123

adborden opened this issue Mar 10, 2017 · 0 comments
Milestone
0.1.1 - Some need...

Comments

@adborden
Copy link
Contributor

In the case of fugacious, URLs should be treated as sensitive since knowing the URL would allow someone to access the secret stored (assuming it was accessed within the TTL of the secret).

If running fugacious behind an http server like apache or nginx, often these have a default configuration to log all requests, including URLs, to file or stdout. Most PaaS, like Heroku or Cloud Foundry are configured this way, too. Operators of fugacious should take this into consideration when setting up their app, otherwise, they will potentially be disclosing sensitive information to their hosting providers.

We can include a note about how to avoid this disclosure of sensitive information and maybe even include suggested apache or nginx configuration files as examples.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1.1 - Some needed love
Development

No branches or pull requests
2 participants
@jgrevich @adborden