These are not sensitive, and you should not report potential
vulnerabilities on a public mailing list.
On Tue, 22 Oct 2019, 22:13 Hossein Doutaghy, <hossein.doutaghy(a)gmail.com>
wrote:
Hi,
Web security scanner found that Keycloak Admin console is using GET with
login-actions endpoint. It points out that several parameters is visible in
url which can be sensitive. E.g. execution_session_code, client_id.
Scanner recommends not to use GET for sensitive parameters. Or even better
not accepting GET parameters for the endpoint at all.
Are the parameters for login-actions really sensitive? What are reason
that this endpoint allows both GET and POST form?
Moe Doutaghy
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user