Comments (3)
Luzifer
commented on July 17, 2024
First of all: Please - and I think I speak for every OSS project out there - create one issue for one request. This is just barely actable anymore and cannot be properly worked on. (As you seem to come from a corporate environment, like you would create one Jira ticket for one request.)
Using environment variables for configuration does not provide a secure way to manage Redis credentials.
I propose implementing a configuration file to prevent credentials from being accessible through the environment.
Please elaborate. Environment variables are an issue for systems with shared access, files are too. Environment variables will fall when the system is compromized, files will too. Environment variables can be injected by a wrapping process, files cannot.
So how would the security increase by writing the redis credentials into a file on disk in opposite to taking environment variables from a security store?
The expiry settings on the web interface should be clearer.
The app should not be able to change the web interface at runtime.
OTS contains compiled-in assets. They cannot change during runtime. There is barely a difference between statically compiling the frontend and baking it into the binary and statically compiling the frontend and hosting it using the nginx. The second variant can be changed easier.
Aside if you really want to go that way: make generate, edit the index.html in the frontend directory, let nginx serve it at ots.yourdomain.com and pass through the /api to the Go application: You're done. I don't see the benefit as you will loose the customization feature but you can do that.
Uploading needs an authorization system to control uploads.
This can be done through the isWritable endpoint. It can't be called, the frontend will not display the creation form. It can be called, the frontend will display the creation form. Limit it on the proxy you put in front of the instance by applying access-control to /api/isWritable and /api/create to only be useable by employees and nobody else can create secrets.
from ots.
fblz
commented on July 17, 2024
First of all: Please - and I think I speak for every OSS project out there - create one issue for one request. This is just barely actable anymore and cannot be properly worked on. (As you seem to come from a corporate environment, like you would create one Jira ticket for one request.)
I intended for this to be more of a discussion then a full on feature request. It doesn't have the technical dept for a feature request imo. I see that it can be cumbersome to manage. I will split this into distinct issues.
from ots.
fblz
commented on July 17, 2024
To add to that. I wanted to know whether you want those features in OTS at all, before opening issues. Discussion are not enabled on the repo, so I opted for a single issue instead.
from ots.
Related Issues (20)
- Issue with adding attachments with API HOT 17
- how to define a favicon? HOT 1
- Build from source HOT 1
- warnings from vue HOT 3
- Add a version option to ots-cli command line HOT 3
- UI enhancements HOT 5
- Feature request: passphrase protection of a secret HOT 4
- Feature request: possibility to revoke/burn a secret HOT 6
- How to use customize.yaml in an azure docker environment? HOT 1
- How to redirect logging to a file HOT 4
- maxAttachmentSizeTotal is not respected if its bigger than 64MiB HOT 1
- Create a way to not have (Redis) credentials in an environment variable HOT 1
- The OTS app should not be able to change the web interface at runtime
- Allow secret creation to be restricted via one time links HOT 1
- Ctrl+V an image
- arm64 image on Docker HOT 1
- Allow frontend default expiry to be hidden in customization
- Add warning when using non-localhost, non-https connection HOT 1
- Stuck at "Secret is being created..." HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ots.