nodece commented on PR #16650: URL: https://github.com/apache/pulsar/pull/16650#issuecomment-1190091918
@acortes-okode Thanks for your explanation about security! > But I think then that the token query param check should only be applied on WebSocket connection URIs (/ws/ and /ws/v2/) and not the rest. You are right, we should add a filter to check the WebSocket connection URL. > And I'm sure security here depends a lot on how Apache Pulsar is managed and if the users use that query param for other requests rather than the WebSocket ones but maybe it could be a security risk in some situations. I'm referencing an [OWASP post](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url) about this. Hi @michaeljmarshall @lhotari, I think you will be interested in this, could you share your thoughts? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
