4 comments

[ 12.5 ms ] story [ 1237 ms ] thread
(comment deleted)
Looks like it was possible to include the `x-middleware-subrequest` header in your request, tricking the state machine into thinking you'd passed auth already.

(Don't use the user input itself to encode state!)

(comment deleted)