Open Cyborus04 opened 5 months ago
I don't think this is currently something we should try to promise. The point of the sensitive flag is as a hint so the value does not get stored in the h2/h3 dynamic table. It's not meant to be a comprehensive secret container.
I don't mean this as an explicit promise, more as a "better safe than sorry" implementation detail. An alternative is to still try to get try_as_mut
into bytes, then create a Bytes
value that I give to http
and zeroize it myself. Other than that, I'm not sure how to securely include credentials.
Since sensitive data can be stored in headers (i.e. credentials in an
Authorization
header), it would be nice for the value to be "zero-ed out" when they are dropped so as to not leave their data in memory. This is difficult asHeaderValue
stores its contents inBytes
, but I think it would be possible to add atry_as_mut(&mut self) -> Option<&mut [u8]>
method toBytes
to accomplish this.I am fully willing to implement this myself, and have already started work towards that in tokio-rs/bytes#643, but I thought it good to make sure this goal is something you'd be interested in before continuing.