Open jaw187 opened 9 years ago
danielb2
commented
9 years ago I suspect it's better to disable the endpoint and use server.plugins['hapi-info'].info() functionality to create whatever endpoint is necessary for encryption, or basic auth or whatever to handle all possible options to get that data.
How would the route for decrypting data work? And wouldn't basic auth be an easier way?
jaw187
commented
9 years ago I'd expect a service that decrypts the payload and an interface that makes an ajax call to it. For my use, I'd have one server which encrypted data and another server that decrypted data.
Using basic auth is an option, but anyone that is looking to use the details from hapi-info could potentially exploit the auth scheme too.
danielb2
commented
9 years ago I'm suggesting making your own endpoint using basic-auth and putting an endpoint behind it which uses the data from server.plugins['hapi-info'].info()
basically I think all the different options to access this info is behind the scope of the plugin.
but if I were to make something using an auth-scheme, it would be configurable from the plugin, so not sure how it would be exploitable?
millette
commented
7 years ago
In order to prevent leaking sensitive information, an option to encrypt the output should be added.
This would also require another option which includes a route for decrypting data, perhaps an interface as well.