szschaler
commented
11 months ago Will be addressed by addressing #110
Open barnettwilliam opened 1 year ago
szschaler
commented
11 months ago Will be addressed by addressing #110
agarciadom
commented
11 months ago I'm not sure why you would need SSH endpoints. So long as the platform and tokenserver are hosted from the same domain, it should be possible to enforce from the browser that the tokenserver cookie is only available to the platform.
barnettwilliam
commented
11 months ago I'm not sure why you would need SSH endpoints. So long as the platform and tokenserver are hosted from the same domain, it should be possible to enforce from the browser that the tokenserver cookie is only available to the platform.
Sorry yes it's meant to be SSL, updated
agarciadom
commented
11 months ago Right, that makes more sense :-). SSL protects you from man-in-the-middle attacks, but it won't help with cross-site request forgery attacks - that should be kept in mind. For that, you need to use CORS.
Test the tokenserver setup with SSL endpoints between it and the platform and document.