Greg Guthe
Greg Guthe
> If understand it correctly, an app that would use only server-side Origin header checking alone would prevent CSRF in all browsers that implement the Origin header correctly. > Clients...
upstream issue: https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/issues/5
yep armag-addon 2.0 stuff, maybe autograph-canary can do this? On Thu, Mar 26, 2020 at 9:07 AM Julien Vehent wrote: > Is this about add-on verification? > > — >...
Looked into this a bit (web search and stared at the `net/http` src), you'd think we could add `code: w.` in autograph's logging.go but I don't see any publicly accessible...
I think bob did change it to use the nginx logs for the metrics, so we might be able to close this out. On Thu, Mar 26, 2020 at 9:08...
See also https://github.com/mozilla-services/cloudops-deployment/pull/4236#issuecomment-846014573 (private link)
> Maybe we don't even care about the public key and we just use the private key to do everything? Yeah, we really shouldn't need the public key to sign...
Discussed with @jvehent and we'll just add a check that private and pub key lengths match.
An alternative or additional option, https://github.com/mozilla-services/autograph/pull/782#discussion_r723599970 The [logrus readme](https://github.com/sirupsen/logrus#example) includes this example: ```go // A common pattern is to re-use fields between logging statements by re-using // the logrus.Entry returned...