Skip to content

Comments

SECURITY FIX: Move encryption key from query parameters to URL fragment#3

Merged
link0ln merged 1 commit intomainfrom
claude/fix-key-leak-via-fragment-011CUoJYuYL8d3PVKYyLQWq8
Nov 4, 2025
Merged

SECURITY FIX: Move encryption key from query parameters to URL fragment#3
link0ln merged 1 commit intomainfrom
claude/fix-key-leak-via-fragment-011CUoJYuYL8d3PVKYyLQWq8

Conversation

@link0ln
Copy link
Owner

@link0ln link0ln commented Nov 4, 2025

CRITICAL: This fixes a major security vulnerability where encryption keys were exposed to the server via query parameters.

Problem:

  • Before: https://inigma.idone.su/view?view=XXX&key=SECRET_KEY
  • Encryption key was sent to server in HTTP GET request
  • Keys were logged in nginx access logs
  • Keys were visible to server admins, monitoring systems, and proxy servers
  • This completely broke the end-to-end encryption promise

Solution:

Changes:

  1. main-app.js:160 - Changed '&key=' to '#key=' in URL generation
  2. view-app.js:20-28 - Read key from window.location.hash instead of query
  3. view-app.js:26-28 - Immediately clean URL to remove key from address bar

Impact:

  • New links generated will have true E2E encryption
  • Old links (with &key=) will stop working - this is intentional
  • Existing logs may contain encryption keys - recommend log rotation

Security Level: CRITICAL
Breaking Change: YES (old links incompatible)
Ref: RFC 3986 - URI Generic Syntax, Section 3.5 (Fragment)

@claude
SECURITY FIX: Move encryption key from query parameters to URL fragment
1797ded 
CRITICAL: This fixes a major security vulnerability where encryption keys
were exposed to the server via query parameters.

Problem:
- Before: https://inigma.idone.su/view?view=XXX&key=SECRET_KEY
- Encryption key was sent to server in HTTP GET request
- Keys were logged in nginx access logs
- Keys were visible to server admins, monitoring systems, and proxy servers
- This completely broke the end-to-end encryption promise

Solution:
- After: https://inigma.idone.su/view?view=XXX#key=SECRET_KEY
- Encryption key is now in URL fragment (hash)
- Fragments are NEVER sent to the server per RFC 3986
- Only the browser sees the encryption key
- True end-to-end encryption is now achieved

Changes:
1. main-app.js:160 - Changed '&key=' to '#key=' in URL generation
2. view-app.js:20-28 - Read key from window.location.hash instead of query
3. view-app.js:26-28 - Immediately clean URL to remove key from address bar

Impact:
- New links generated will have true E2E encryption
- Old links (with &key=) will stop working - this is intentional
- Existing logs may contain encryption keys - recommend log rotation

Security Level: CRITICAL
Breaking Change: YES (old links incompatible)
Ref: RFC 3986 - URI Generic Syntax, Section 3.5 (Fragment)
@link0ln link0ln merged commit 7bf0a8e into main Nov 4, 2025
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@link0ln @claude