Add a comment on threat model (lack thereof) for Basic-Auth:.

V12-Ref: F-77238, F-77261
This commit is contained in:
Catherine
2026-05-30 15:14:38 +00:00
parent c181e86f48
commit 3fe45f0c98
+2
View File
@@ -237,6 +237,8 @@ func ApplyHeaderRules(manifest *Manifest, url *url.URL) (
return
}
// Note that `Basic-Auth:` is not a security mechanism; it is provided on a best-effort basis
// and not expected to be resistant against malicious misuse.
func ApplyBasicAuthRules(manifest *Manifest, url *url.URL, r *http.Request) (bool, error) {
if rule := matchPathRules(manifest.BasicAuth, url); rule == nil {
// no matches, authorized by default