Mercurial > prosody-modules
diff mod_http_oauth2/README.markdown @ 5716:426c42c11f89
mod_http_oauth2: Make defaults more secure
This should be fine since we don't have a lot of clients to be
backwards-compatible with.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 14 Nov 2023 23:19:19 +0100 |
parents | b43c989fb69c |
children | 761142ee0ff2 |
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown Tue Nov 14 23:03:37 2023 +0100 +++ b/mod_http_oauth2/README.markdown Tue Nov 14 23:19:19 2023 +0100 @@ -224,10 +224,10 @@ ``` The [Proof Key for Code Exchange][RFC 7636] mitigation method is -optional by default but can be made required: +required by default but can be made optional: ```lua -oauth2_require_code_challenge = true -- default is false +oauth2_require_code_challenge = false -- default is true ``` Further, individual challenge methods can be enabled or disabled: @@ -235,7 +235,7 @@ ```lua -- These reflects the default allowed_oauth2_code_challenge_methods = { - "plain"; -- the insecure one + -- "plain"; -- insecure but backwards-compatible "S256"; } ```