Security hole when using ClientKey white listing
lukaskolafa opened this issue · comments
lukaskolafa commented
Hello,
I fear I found a security hole in the white list feature by ClientKeys. In order to make this configuration to work:
<whitelists>
<add policyType="2" entry="some-user" />
</whitelists>
you have to configure this setting:
<throttlePolicy clientThrottling="true">
whithout enabled clientThrottling
, the whitelists are ignored.
The problem with that is that enabling clientThrottling
is IMHO a security hole because this allows the hackers bypassing the throttling by sending random clientIds.
It would be great if the ClientKey white lists would work as well without enabled clientThrottling.
many thanks for the great project and your support!
best
Lukas