This repository was archived by the owner on Feb 11, 2026. It is now read-only.
Replies: 1 comment
-
|
Hello 👋 Thanks for your proposal. I think in both the cases showing a generic error page should be the way to go. Leaking too specific information about SignedURL or tokens is usually considered bad practice, because it can lead to brute force attacks. I do not have any specific document that talks about SignedURLs security. But, a general read around "Brute force password reset token" will give you answer why tokens invalidity reason should be kept opaque. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
📚 Summary
The RFC introduces a new method to
RequestContractthat will allow developers to check if a signed URL used to be valid, but has expired.🔗 Links
Full Rendered Proposal
Original PR
Beta Was this translation helpful? Give feedback.
All reactions