This commit is contained in:
@@ -25,14 +25,6 @@ SERVER
|
||||
https://news.ycombinator.com/item?id=14292223
|
||||
https://news.ycombinator.com/item?id=18804875
|
||||
|
||||
- JWT Secret key issue:
|
||||
- Secret key based on license to but is read in before license is read so it's always actually "UNLICENSED" as the regto making the jwt secret the same for all installations
|
||||
- Unless overridden which no one will do
|
||||
- Need to randomly generate a secret key on installation and add it as an environment variable
|
||||
- Don't allow boot without pre-set secret key
|
||||
- Un-tie secret key from license, they are two different things entirely and shouldn't be confounded
|
||||
|
||||
|
||||
|
||||
- Add tests to ensure security of JWT
|
||||
- https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf
|
||||
|
||||
Reference in New Issue
Block a user