Jump to content

Totp Qr Code Should Be Generated Locally And Have Response Headers Preventing Caching


Recommended Posts

Posted

Currently you use chart.googleapis.com to generate a QR code of the secret seed value used for TOTP.

Besides the question whether it is a good idea to share your secret seed with Google, using an external service also means you cannot control the response headers send, and therefore cannot do anything to prevent the image ending up in the user's browser cache, which is also undesirable.

 

Either let Blesta generate the QR code in PHP code and set proper response header for both the image and page it is on.

Or let the browser generate a QR code with random seed in Javascript, with a library like: http://davidshimjs.github.io/qrcodejs/

  • 2 years later...
  • 3 years later...

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...