From 3fe45f0c983a5cb0e20b9cb55648bc34a66968ad Mon Sep 17 00:00:00 2001 From: Catherine Date: Sat, 30 May 2026 15:14:38 +0000 Subject: [PATCH] Add a comment on threat model (lack thereof) for `Basic-Auth:`. V12-Ref: F-77238, F-77261 --- src/headers.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/headers.go b/src/headers.go index 006e8fd..bb11be2 100644 --- a/src/headers.go +++ b/src/headers.go @@ -237,6 +237,8 @@ func ApplyHeaderRules(manifest *Manifest, url *url.URL) ( return } +// Note that `Basic-Auth:` is not a security mechanism; it is provided on a best-effort basis +// and not expected to be resistant against malicious misuse. func ApplyBasicAuthRules(manifest *Manifest, url *url.URL, r *http.Request) (bool, error) { if rule := matchPathRules(manifest.BasicAuth, url); rule == nil { // no matches, authorized by default