RESTer icon indicating copy to clipboard operation
RESTer copied to clipboard

Published 20 hours ago verified publisher icon frigus02

History and Security

Open Vastrix opened this issue 6 years ago • 2 comments

Hey,

First of all, very sexy looking! A few concerns/suggestions/issues..

  • I deleted all 5 history items manually, yet they weren't removed from the left history panel (until reload)
  • How is data stored, like Header variables for example? If it's stored in plain text, any chance you can make RESTer encrypt the data before writing it down?
    because..tokens..
  • A setting checkbox to automatically expand urls (to show its parameters in that neat looking list)
  • An option to never keep/record history

Very useful extension!
Thanks!

Vastrix avatar Sep 23 '18 10:09 Vastrix

Hi @Vastrix, good to hear you like it. Let me get to the questions:

I deleted all 5 history items manually, yet they weren't removed from the left history panel (until reload)

Yes, I know about this. Thanks for capturing it here. This is really just the left panel not updating. Data is immediately deleted. I don't see this as a high priority to fix, because it is not the easiest thing.

How is data stored, like Header variables for example?

Data is stored in plain text using storage.local. This was by stored as a JSON file on disk. Recently Firefox changed the implementation. I believe it is now stored as an indexedDB. But it's still plain text. So yeah, the suggestion to encrypt it is good. I need to think about how and which parts of the data.

Where would you store the encryption key?

A setting checkbox to automatically expand urls (to show its parameters in that neat looking list)

Good point. That should be a simple improvement.

An option to never keep/record history

This is an interesting one. I created RESTer because I wanted a browser extension, which automatically saves all requests/responses. It did grow quite a bit now, though. I can see that people would like to use it without storing history. I might add this option in the future.

frigus02 avatar Sep 24 '18 10:09 frigus02

Thanks for the fast response!

Yes, I know about this. Thanks for capturing it here. This is really just the left panel not updating. Data is immediately deleted. I don't see this as a high priority to fix, because it is not the easiest thing.

Yeah, I know, it's something supper minor, no priority whatsoever, just thought I'd mention it ;)

Where would you store the encryption key?

This! :p
On windows you might be able to use efs, which is not super secure but at least it's something.. However, that's not very cross-platform, One way to encrypt things without asking for a key is by grabbing a static constant browser variable (that never changes), add some salt to it and use that..
The later option especially, is insecure, but it does prevent general data theft (through common exploits/malware), but yea, completely insecure against more targeted attacks..
Asking for a password is really the best option, but that's a hassle for the user as well (remembering the password) :/
I guess, if you wanna be really fancy about it, you could offer both options.. :)

This is an interesting one. I created RESTer because I wanted a browser extension, which automatically saves all requests/responses. It did grow quite a bit now, though. I can see that people would like to use it without storing history. I might add this option in the future.

Heh, yea, I usually use it to quickly test a rest api, do some initial tests, before I start coding
Which means that I'd always have to remove history to keep things neat and secure(if I used a token)

Vastrix avatar Sep 24 '18 13:09 Vastrix