This repository has been archived by the owner on Jan 31, 2024. It is now read-only.
feat: authorised fetch #217
Comments
|
(prob apply same config to inbox) |
|
that PR adds code to sign outbound GET requests I'm talking about validating signatures to inbound GET requests It's the difference between and |
ShittyKopper
pushed a commit
to ShittyKopper/Sharkey
that referenced
this issue
Jan 31, 2024
the implementation is copied from the other places we already check HTTP signatures, and cross-checked with Firefish's implementation
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Summary
some other fedi software allow enforcing that all GET requests with
Accept: application/activity+jsonbe signed, and will refuse to serve both unsigned requests, and signed requests from blocked / silenced / restricted instances.Purpose
Some writing about this: https://hub.sunny.garden/2023/06/28/what-does-authorized_fetch-actually-do/
and https://docs.joinmastodon.org/admin/config/#authorized_fetch
The main effect is to make it much harder for blocked instances (and random data harversters) to retrieve profiles and notes
(this feature was suggested by mia on Discord)
The text was updated successfully, but these errors were encountered: