Disable GET login by default (#15558)

* Disable GET login by default GET login allows users to put username and password in the url, this is helpful for displays where you cannot login interactively. Unfortunately, the plaintext password will be in the access logs. GET login also allows brute force attacks against your install. * Apply fixes from StyleCI --------- Co-authored-by: StyleCI Bot <bot@styleci.io>
2024-10-07 16:52:45 +00:00 · 2023-11-07 16:25:28 -06:00
parent 3a98aa2ec6
commit 7c006e9625
3 changed files with 16 additions and 2 deletions
--- a/lang/en/settings.php
+++ b/lang/en/settings.php
@@ -266,6 +266,10 @@ return [
            'description' => 'Key to hold cache of autonomous systems descriptions',
        ],
        'auth' => [
+            'allow_get_login' => [
+                'description' => 'Allow get login (Insecure)',
+                'help' => 'Allow login by putting username and password variables in the url get request, useful for display systems where you cannot interactively log in. This is considered insecure because the password will be shown in logs and logins are not rate limited so it could open you up to brute force attacks.',
+            ],
            'socialite' => [
                'redirect' => [
                    'description' => 'Redirect Login page',