So because this is the Interwebs, I just hacked together an admin panel and a delete signatory feature for the web0 manifesto.

(Sorry, Sergi [sic], Google isn’t allowed to sign it.) ;P

PS. Site.js makes it very simple to hack together a secure admin page for your small web app using a cryptographically secure secret route without requiring you to build a role management system with passwords, etc. Perfect if you’re the only one to access it.

@aral Uhm, no?

Just because you have a secret in that URL, doesn't automatically mean it's secure. The opposite is the case, due to that it's explicitly not secure.

This is a token-based authentication and it stores a long term token in a URL. Besides the risk of exposing this URL through sending it somewhere by accident, it is automatically stored in your browser history (unless adjusted).

@sheogorath Yes, it’s secure unless you share it or if you access it on a non-private session on a public machine.

If that’s not acceptable for your threat model, sure. For mine, it’s perfectly adequate.

@aral @sheogorath Uuuuhm did not you just demonstrate the weakness of that approach. Did not you share the URL publicly here on Mastodon?🤔🤔


@rugk @sheogorath Yep, I did. I shared the *localhost* URL on my development machine publicly on Mastodon.

And if you can reach that, I have far greater problems ;)

· · Web · 1 · 1 · 4

@aral @sheogorath Well ok, of the secret is different in prod at least🙃

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.