remove suffix matching from host whitelist
All checks were successful
check / check (push) Successful in 1m50s
All checks were successful
check / check (push) Successful in 1m50s
Signatures are per-URL, so the whitelist should only support exact host matches. Remove the suffix/wildcard matching that allowed patterns like '.example.com' to bypass signature requirements for entire domain trees. Leading dots in existing config entries are now stripped, so '.example.com' becomes 'example.com' as an exact match (backwards-compatible normalisation).
This commit is contained in:
user
@@ -96,11 +96,10 @@ expiration 1704067200:
|
||||
4. URL:
|
||||
`/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp?sig=<base64url>&exp=1704067200`
|
||||
|
||||
**Whitelist patterns:**
|
||||
|
||||
- **Exact match**: `cdn.example.com` — matches only that host
|
||||
- **Suffix match**: `.example.com` — matches `cdn.example.com`,
|
||||
`images.example.com`, and `example.com`
|
||||
**Whitelist entries** are exact host matches only (e.g.
|
||||
`cdn.example.com`). Suffix/wildcard matching is not supported —
|
||||
signatures are per-URL, so each allowed host must be listed
|
||||
explicitly.
|
||||
|
||||
### Configuration
|
||||
|
||||
|
||||
Reference in New Issue
Block a user