Hi Daniel,

the word “only” makes it sound like a small issue, at least in my ears.

Best 

Gerry



On 2 Sep 2020, at 13:33, Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Hello,

On 02.09.20 12:53, Gerry | Rigatta wrote:
[...]

I can only guess that Maxim took offence with your wording here, which can be understood as downplaying the risk
The only security risk in my opinion

please provide further details why is downplaying. Have you identified another security risk? I would like to be aware of and also let the others know. Or maybe something else is wrong in my statement, my English is not native and likely not the best out there, I am eager to learn from you and do better from the future.

Using custom header names to tighten or loose the security is a per-deployment specific approach, expected that only an insider knows it, but then such guy has probably access to more important sensitive data (such as subscriber passwords, etc.).

Based on my review (I could be wrong of course, but I stated clear is my opinion), none of the standard security related specs were where impacted -- user authentication, routing, etc ... that's the reason the bug lived for so long time.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla