This repository has been archived by the owner on May 7, 2024. It is now read-only.
Insecure behaviour by default: a vanilla run asks for admin creation #815
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
(I understand that this project has been abandoned since 2020 in favor of your own Kong competitor but just in case you want to resume it ...)
The first time the application is executed, it will ask for the creation of an administrator password.
This is not secure since there is a time window in which a malicious user can gain control of the service.
Other products create a one-use first-time token that is dumped into the logs (which are only accessible to administrators).
Thanks.
The text was updated successfully, but these errors were encountered: