[tahoe-lafs-trac-stream] [Tahoe-LAFS] #3826: HTTP storage protocol design change: switch all secrets to http headers
Tahoe-LAFS
trac at tahoe-lafs.org
Mon Oct 25 16:01:35 UTC 2021
#3826: HTTP storage protocol design change: switch all secrets to http headers
-------------------------+---------------------------------------
Reporter: itamarst | Owner: itamarst
Type: enhancement | Status: new
Priority: normal | Milestone: HTTP Storage Protocol
Component: unknown | Version: n/a
Keywords: | Launchpad Bug:
-------------------------+---------------------------------------
Secrets include:
1. The new upload secret (#3820).
2. Write secrets for mutables.
3. Lease renewal/cancellation.
4. Arguably, storage index, although that's more open to discussion.
These secrets should not be leaked by accident.
The current system puts them in the body of requests, which mean request
logging is more likely to leak them.
HTTP headers are the standard way of passing credentials, and logging them
is less common than URLs or bodies. So perhaps we should switch to using
them for all of the above.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/3826>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list