-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret values in the admin should be obfuscated #6294
Comments
jptissot
changed the title
Secret keys should be obfuscated
Secret values in the admin should be obfuscated
May 28, 2020
I think it's a good idea. Using blank values has some problems. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When we input a secret in the admin (google authentication module "API secret key" for example). The value should not be returned to the client when visiting the page a second time. Currently, the secret is decrypted and is passed back to the client in a password field, but the value is available in the browser's dev tools. I think we should instead use a magic string that would tell the server side to leave the previous value untouched if the user saves the form a second time without modifying the value.
The text was updated successfully, but these errors were encountered: