Score:-1

hiding sensitive information from cdn provider

se flag

I have an app that I want to connect to cloudflare for cdn. However, Cloudflare handles the https encryption for me so I'm worried that user passwords may be logged.

What are some good practices for shielding sensitive information from cdn providers?

Score:3
la flag

https://developers.cloudflare.com/logs/

By default, Cloudflare does not retain your HTTP request logs. However, if you are a Spectrum customer, logs of Spectrum events are retained automatically.

When you have reason to believe that your service provider won’t uphold their end of the terms & conditions of your (data processing) contract/service agreement with them, then you shouldn’t do business with them.

From a technical perspective: the typical (default) logging that both your own systems as well as the service providers (when enabled by you) are going to do is HTTP request logging.

Don’t program your app to make requests containing sensitive data such as www.example.com/login?login=zcaudate&password=s3cr3t in the URI and you ensure that those logs won’t contain sensitive information.

Don’t underestimate the capability of users to enter their passwords in the username field and similar, so don’t assume that you only need to avoid requests with the password field, avoid them completely.

zcaudate avatar
se flag
that makes sense. thanks.
Score:3
cn flag

Good practice is not to use a CDN for sensitive information like this. Simple like that.

Use another domain (account....) to handle the login as i.e. Microsoft does (login.live.com) and do not run that through the CDN.

Use a stndard OAuth2 authentication scheme with a bearer token that always is only transmitted via header, never in the request url.

Done.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.