Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md #1439

Closed
Andrewp2 opened this issue Jun 25, 2024 · 2 comments · Fixed by #1440
Closed

Update: Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md #1439

Andrewp2 opened this issue Jun 25, 2024 · 2 comments · Fixed by #1440
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@Andrewp2
Copy link
Contributor

What is missing or needs to be updated?

On line 84 we're told to use environment variables for a secret key:

  • A secret cryptographic key Not to confuse with the random value from the naive implementation. This value is used to generate the HMAC hash. Ideally, store this key as an environment variable.

However at Cryptographic_Storage_Cheat_Sheet.html#key-storage, we're told to not use environment variables

Avoid storing keys in environment variables, as these can be accidentally exposed through functions such as phpinfo() or through the /proc/self/environ file.

How should this be resolved?

One option is to change to:

  • A secret cryptographic key Not to be confused with the random value from the naive implementation. This value is used to generate the HMAC hash. Ideally, store this key as discussed in the Cryptographic Storage Page.
@Andrewp2 Andrewp2 added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Jun 25, 2024
@jmanico
Copy link
Member

jmanico commented Jun 25, 2024 via email

@szh
Copy link
Collaborator

szh commented Jun 25, 2024

Yeah, this is clearly an out of date recommendation. If you're willing to make a PR to update it that would be awesome. If not just let me know and I can handle it.

@szh szh added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Jun 25, 2024
@Andrewp2 Andrewp2 mentioned this issue Jun 25, 2024
Merged
8 tasks
@szh szh linked a pull request Jun 25, 2024 that will close this issue
Refer to cheat sheet on securely storing keys rather than using environment variables #1440
Merged
8 tasks
@szh szh removed the HELP_WANTED Issue for which help is wanted to do the job. label Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
3 participants
@jmanico @szh @Andrewp2