Samples icon indicating copy to clipboard operation
Samples copied to clipboard

Published 20 hours ago verified publisher icon DuendeSoftware

Consider updating samples and docu with AddOpenIdConnect option DisableTelemetry

Open JeroenBer opened this issue 2 years ago • 2 comments

During penetration testing we got a remark about x-client-SKU and x-client-ver query string parameters exposing information about the used software versions. This might give clues to attackers about which software version is used and they might try known exploits.

The solution was to DisableTelemetry in OpenIdConnection options. Unfortunately this is not the default. Maybe wise to add this in the sample code and documentation so that people might not overlook this.

// Disable x-client-SKU and x-client-ver headers (Security issue)
options.DisableTelemetry = true;

JeroenBer avatar May 02 '23 10:05 JeroenBer

Thanks, is a great suggestion!

josephdecock avatar May 02 '23 19:05 josephdecock

I think this should mostly be done in the samples repo - most of the time in the documentation we either omit most options or are doing a tutorial where extra options are just distracting.

josephdecock avatar Feb 24 '24 04:02 josephdecock

I've just completed a series of PRs. All relevant clients now have the flag enabled.

RolandGuijt avatar Jul 03 '24 15:07 RolandGuijt