This repository has been archived by the owner on Feb 2, 2024. It is now read-only.
Replies: 1 comment
-
|
Hello 👋 Thanks for your proposal. I think in both the cases showing a generic error page should be the way to go. Leaking too specific information about SignedURL or tokens is usually considered bad practice, because it can lead to brute force attacks. I do not have any specific document that talks about SignedURLs security. But, a general read around "Brute force password reset token" will give you answer why tokens invalidity reason should be kept opaque. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
📚 Summary
The RFC introduces a new method to
RequestContractthat will allow developers to check if a signed URL used to be valid, but has expired.🔗 Links
Full Rendered Proposal
Original PR
Beta Was this translation helpful? Give feedback.
All reactions