trustno1
Ted Unangst tedu@tedunangst.com
Sun, 14 Apr 2019 14:17:50 -0400
1 files changed,
4 insertions(+),
0 deletions(-)
jump to
M
docs/security.txt
→
docs/security.txt
@@ -5,6 +5,10 @@ honk is not currently hardened against SSRF, server side request forgery. Be
mindful of what else may be reachable on localhost or the local network if it's not generally accessible. +Key and signature verification is best effort, but some forgeries may sneak +past. In particular, tying together key name, key owner, actor, object, etc. +is incomplete. + How are user keys supposed to be rotated? Expired? Revoked? The current answer is never, never, never.