Hello,
[...]
I can only guess that Maxim took offence with your wording here, which can be understood as downplaying the riskThe only security risk in my opinion
please provide further details why is downplaying. Have you
identified another security risk? I would like to be aware of and
also let the others know. Or maybe something else is wrong in my
statement, my English is not native and likely not the best out
there, I am eager to learn from you and do better from the future.
Using custom header names to tighten or loose the security is a per-deployment specific approach, expected that only an insider knows it, but then such guy has probably access to more important sensitive data (such as subscriber passwords, etc.).
Based on my review (I could be wrong of course, but I stated clear is my opinion), none of the standard security related specs were where impacted -- user authentication, routing, etc ... that's the reason the bug lived for so long time.
Cheers,
Daniel
-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla