simsong
commented
2 days ago I don't think that it's too much information from a security standpoint. But that's your decision.
Open sbarber2 opened 3 days ago
simsong
commented
2 days ago I don't think that it's too much information from a security standpoint. But that's your decision.
I browsed to http://localhost:8080/audit after logging out, and the server returned this error page:
"Authentication error 403 api_key is None and require_auth is True"
I think that message gives too much information from a security standpoint, and the usual "403 Forbidden" would be about the right level of disclosure.
That said, it would be nice to maintain the current message if running in debug mode (or perhaps to put into the server log).