You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One thing that is missing in the setup but is not critical for now is
that both popdbweb and victorweb are not verifying the headers coming
from the cmsweb frontends. Every back-end service must check them to
make sure requests have not been tampered with or crafted locally by
exploiting some failure in some other service running on the same
back-end. Once that protection would be in place, we cannot anymore
generate requests locally.
On a separate note, it is also important all requests pass through the
frontends for the proper accountability and indentification of all the
clients.
The text was updated successfully, but these errors were encountered:
From Diego:
One thing that is missing in the setup but is not critical for now is
that both popdbweb and victorweb are not verifying the headers coming
from the cmsweb frontends. Every back-end service must check them to
make sure requests have not been tampered with or crafted locally by
exploiting some failure in some other service running on the same
back-end. Once that protection would be in place, we cannot anymore
generate requests locally.
On a separate note, it is also important all requests pass through the
frontends for the proper accountability and indentification of all the
clients.
The text was updated successfully, but these errors were encountered: