Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit response status code for information disclosure #59

Closed
hug-dev opened this issue Jun 22, 2020 · 2 comments
Closed

Audit response status code for information disclosure #59

hug-dev opened this issue Jun 22, 2020 · 2 comments
Assignees
@hug-dev
Labels
security Issues related to the security and privacy of the service
Milestone
Parsec production...

Comments

@hug-dev
Copy link
Member

hug-dev commented Jun 22, 2020

Mitigation one of our threat model says:

Response statuses are audited to not give too much information to the client.

This issue is to investigate and make sure this is the case.
@hug-dev hug-dev added the security Issues related to the security and privacy of the service label Jun 22, 2020
@ionut-arm
Copy link
Member

By this I assume we mean only the non-PSA response codes. Also, it only means the response code alone, since we send back no data about the failure, just a number.

@hug-dev hug-dev added this to the Parsec production ready milestone Aug 7, 2020
@hug-dev hug-dev self-assigned this Sep 2, 2020
@hug-dev
Copy link
Member Author

hug-dev commented Sep 2, 2020

The service specific response codes are defined here. Having looked at it, the information they contain is either public or not confidential.

@hug-dev hug-dev closed this as completed Sep 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hug-dev hug-dev

Labels
security Issues related to the security and privacy of the service
Projects
None yet
Milestone
Parsec production ready
Development

No branches or pull requests
2 participants
@hug-dev @ionut-arm