-
There are a lot of [capability URLs](https://www.w3.org/TR/capability-urls/) out there, but both browsers and servers are oblivious to the fact that a certain URL is a capability one.
If browsers w…
-
## Problem
_[ Along in the lines of #1817 ]_
As an infrastructure engineer, I want to enable AWS IAM authentication for the Elasticache Redis cluster in Fleet so that I can enhance the security mo…
-
The oauth/tokens endpoint is already deprecated for removal due to security concerns. The path forward is described in [this doc](https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_…
-
**Github username:** --
**Twitter username:** --
**Submission hash (on-chain):** 0xfe8439d72f4caa0a6592ef4839a64c1b8e762dea2ef06b7a99fc5c03fab264bf
**Severity:** low
**Description:**
**Description**…
-
### Problem
When exporting the Onyx state from the Troubleshoot section, sensitive information such as `authToken` and `encryptedAuthToken` are not masked by default. These tokens remain exposed un…
-
### Description
https://datatracker.ietf.org/doc/html/rfc9449#section-5-9 explicitly allows the Authorization Server to issue non-bound access tokens while using DPoP to bind refresh tokens. This all…
-
## Problem or enhancement idea
Hinode requires a personal access token (PAT) to automatically create pull requests that trigger a release. This is used by the action that updates Hugo dependencies …
-
_This issue was automatically created by [Allstar](https://github.com/ossf/allstar/)._
**Security Policy Violation**
Security policy not enabled.
A SECURITY.md file can give users information about w…
-
-
Refresh tokens are defined with an `eternalExpirationLength`. Is that a security hole in the system? It must be investigated whether refresh tokens could be reused in an undefined period of time and w…