authelia

Commit Graph

Author	SHA1	Message	Date
Clement Michaud	42581dfe93	Fix open redirection vulnerability. In order to redirect the user after authentication, Authelia uses rd query parameter provided by the proxy. However an attacker could use phishing to make the user be redirected to a bad domain. In order to avoid the user to be redirected to a bad location, Authelia now verifies the redirection URL is under the protected domain.	2018-11-17 17:48:20 +01:00
Clement Michaud	56fdc40290	Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.	2017-10-14 11:57:38 +02:00

Author

SHA1

Message

Date

Clement Michaud

42581dfe93

Fix open redirection vulnerability.

In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.

2018-11-17 17:48:20 +01:00

Clement Michaud

56fdc40290

Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

2017-10-14 11:57:38 +02:00

2 Commits (4adb0569acf3076dfc985ffac11b131376e85714)