| ▲ | motrm 5 hours ago | ||||||||||||||||||||||
Reminds me a little of Fly's Tokenizer - https://github.com/superfly/tokenizer It's a little HTTP proxy that your application can route requests through, and the proxy is what handles adding the API keys or whatnot to the request to the service, rather than your application, something like this for example: Application -> tokenizer -> Stripe The secrets for the third party service should in theory then be safe should there be some leak or compromise of the application since it doesn't know the actual secrets itself. Cool idea! | |||||||||||||||||||||||
| ▲ | tptacek 5 hours ago | parent [-] | ||||||||||||||||||||||
It's exactly the tokenizer, but we shoplifted the idea too; it belongs to the world! (The credential thing I'm actually proud of is non-exfiltratable machine-bound Macaroons). Remember that the security promises of this scheme depend on tight control over not only what hosts you'll send requests to, but what parts of the requests themselves. | |||||||||||||||||||||||
| |||||||||||||||||||||||