This repository was archived by the owner on May 7, 2024. It is now read-only.
This repository was archived by the owner on May 7, 2024. It is now read-only.
Insecure behaviour by default: a vanilla run asks for admin creation #815
Description
(I understand that this project has been abandoned since 2020 in favor of your own Kong competitor but just in case you want to resume it ...)
The first time the application is executed, it will ask for the creation of an administrator password.
This is not secure since there is a time window in which a malicious user can gain control of the service.
Other products create a one-use first-time token that is dumped into the logs (which are only accessible to administrators).
Thanks.