WingNews logo WingNews
top | item 9149619

(no title)

evanphx | 11 years ago

That's good point actually, I could see that happening.

What is your concern about the url used? That they point at something a user is trying to coerce you to hit? If so, that could be a public IP too..

discuss

order

jkarneges|11 years ago

It's more about hitting internal services, where there may not be adequate protections in place. There's some earlier discussion here: https://news.ycombinator.com/item?id=7139176

evanphx|11 years ago

Ah! Ok, I got it. Feels like the right way to handle this is the allow a blacklist to be defined via config file, then applied as request, something like "X-Templar-Blacklist: internal". The list would be a set of ip ranges and thus you'd have to construct the list so that the EC2 => EC2 problem doesn't crop up, but it's doable!