Deliver an image with sensitive data
I have a website where I want users to be able to configure authentication
using Google Authenticator(TOTP). This is done by presenting the user with
an QR code containing the secret key.
The naive approach right now is to generate the key and put it in an url
like this.
<img src="https://example.com/QRGenerator?key=....
I have two concerns with this. First the image might be cached and found
later, is the appropriate http no-cache headers enough to mitigate this?
Second is there a risk that the URL with the key parameters to be stored
in history. It appears to not be in history unless I open the image itself
in a new tab.
Are the above secure enough or are there better ways to present an image
with sensitive data.
No comments:
Post a Comment