Token shouldn't be passed via GET variable about gitlab-monitor HOT 5 CLOSED

@timoschwarzer Actually in a lot of business environments high end firewalls are scanning SSL traffic. https://www.sonicwall.com/en-us/support/knowledge-base/170505782716496 so everything gets logged and scanned creating quite a trail.

I'm actually working on an version that will walk you through generating a SSH key connection.

from gitlab-monitor.

Hi there! :)

You are right, tokens should not be passed as query parameters. But just for you information: When you use HTTPS, the only bottleneck will be the browser history and the server logs as query parameters are transport encrypted. If you use the hosted version at my website, it's just the browser history because I don't log URLs for that application.

There has been the idea to move the configuration to an extra file (e.g. config.json) and pass the path to that file as a query parameter. I just haven't had time to implement this and this would be happy to see a PR. :)

from gitlab-monitor.

Since you provide a docker image you might consider reading the gitlab api and private token from environment variables. In terms of security it's even worse, but setup is much easier for teams.

from gitlab-monitor.

@DailenG What do you think of prompting the user and saving the token to localStorage?

from gitlab-monitor.

Whoop whoop! I worked the entire weekend to remake the configuration and add some features.
You can find the new release and instructions here: https://github.com/timoschwarzer/gitlab-monitor/releases/tag/1.7

I'll close this issue as the token is no longer passed as GET parameter.

from gitlab-monitor.