You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I read the code correctly the AzureSigner fetches the secret key from a website with some secret in the properties.
This has IMHO no security benefit to a secret key that is stored in the properties.
As an attacker can always fetch this secret when he has access to the web service.
For keeping stuff simpler and reduce dependencies I would recommend to remove this and replace it by a secret key as base64 decode in the properties.
Or generate it once the database get initialized and store it there, easier to handle for sysadmins.
Same security less code, full control, less failure points and easier testable.
The text was updated successfully, but these errors were encountered:
When I read the code correctly the
AzureSignerfetches the secret key from a website with some secret in the properties.This has IMHO no security benefit to a secret key that is stored in the properties.
As an attacker can always fetch this secret when he has access to the web service.
For keeping stuff simpler and reduce dependencies I would recommend to remove this and replace it by a secret key as base64 decode in the properties.
Or generate it once the database get initialized and store it there, easier to handle for sysadmins.
Same security less code, full control, less failure points and easier testable.
The text was updated successfully, but these errors were encountered: