Security

tl;dr: The utility is open-source, you can download, contribute or learn more on github here. A credential broker service stores all sensitive information and has a command-line client which can act as a streaming pre-hook to initialize environment variables upon an application at runtime that does not store anything to disk. The broker service itself stores everything in encrypted format with the broker client having a key to unlock the data, provided the user is authenticated and has been authorized for the data requested. The server mimics an SSH authentication using Diffie-Hellman to establish encryption of traffic, performing a challenge to validate a user owns the private OpenPGP key to their account and a 2FA request at a configurable time period to ensure the user hasn’t been compromised. SSL should be configured on the server to help prevent man-in the middle. ...

It’s possible to intercept, adjust and otherwise tamper with a XHR request with javascript in the browser. The most common way of doing this is simply making a pointer reference to the original XMLHttpRequest.prototype.send function, overwriting that function with a new one that does the tampering and then calls the original send function once finished. Here’s an example: const XHR = XMLHttpRequest, XHRopen = XHR.prototype.open; XHR.prototype.open = function() { onFinish(); XHRopen.apply(this, arguments); }; Identifying Tampering It’s very straight forward to identify tampering of the function. Simply ensure that the XMLHttpRequest.prototype.open.toString() === 'function send() { [native code] }'; evaluates to true. The function should always be native code if it wasn’t corrupted or tampered with. ...