]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | URI.MungeSecretKey\r |
2 | TYPE: string/null\r | |
3 | VERSION: 3.1.1\r | |
4 | DEFAULT: NULL\r | |
5 | --DESCRIPTION--\r | |
6 | <p>\r | |
7 | This directive enables secure checksum generation along with %URI.Munge.\r | |
8 | It should be set to a secure key that is not shared with anyone else.\r | |
9 | The checksum can be placed in the URI using %t. Use of this checksum\r | |
10 | affords an additional level of protection by allowing a redirector\r | |
11 | to check if a URI has passed through HTML Purifier with this line:\r | |
12 | </p>\r | |
13 | \r | |
14 | <pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>\r | |
15 | \r | |
16 | <p>\r | |
17 | If the output is TRUE, the redirector script should accept the URI.\r | |
18 | </p>\r | |
19 | \r | |
20 | <p>\r | |
21 | Please note that it would still be possible for an attacker to procure\r | |
22 | secure hashes en-mass by abusing your website's Preview feature or the\r | |
23 | like, but this service affords an additional level of protection\r | |
24 | that should be combined with website blacklisting.\r | |
25 | </p>\r | |
26 | \r | |
27 | <p>\r | |
28 | Remember this has no effect if %URI.Munge is not on.\r | |
29 | </p>\r | |
30 | --# vim: et sw=4 sts=4\r |