Jump to content
Max

Totp Qr Code Should Be Generated Locally And Have Response Headers Preventing Caching

Recommended Posts

Currently you use chart.googleapis.com to generate a QR code of the secret seed value used for TOTP.

Besides the question whether it is a good idea to share your secret seed with Google, using an external service also means you cannot control the response headers send, and therefore cannot do anything to prevent the image ending up in the user's browser cache, which is also undesirable.

 

Either let Blesta generate the QR code in PHP code and set proper response header for both the image and page it is on.

Or let the browser generate a QR code with random seed in Javascript, with a library like: http://davidshimjs.github.io/qrcodejs/

Share this post


Link to post
Share on other sites

We previously create CORE-2078 to address this. (Sorry, the task is private). In the task https://github.com/Bacon/BaconQrCode is recommended for use in generating the QR code. Your recommended JS library http://davidshimjs.github.io/qrcodejs/ might be better, I'll update the task to include the possible recommendation.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...