Commit 5186aaaa authored by Evan Read's avatar Evan Read

Merge branch 'doc-token-security-chriscool' into 'master'

Documentation: add 'Security considerations' section to token_overview.md

See merge request gitlab-org/gitlab!60761
parents cbcfc996 3f658749
...@@ -106,3 +106,15 @@ This table shows available scopes per token. Scopes can be limited further on to ...@@ -106,3 +106,15 @@ This table shows available scopes per token. Scopes can be limited further on to
1. Limited to the one project. 1. Limited to the one project.
1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository 1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository
1. Limited to certain [endpoints](../api/README.md#gitlab-cicd-job-token). 1. Limited to certain [endpoints](../api/README.md#gitlab-cicd-job-token).
## Security considerations
Access tokens should be treated like passwords and kept secure.
Adding them to URLs is a security risk. This is especially true when cloning or adding a remote, as Git then writes the URL to its `.git/config` file in plain text. URLs are also generally logged by proxies and application servers, which makes those credentials visible to system administrators.
Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/README.md#personalproject-access-tokens).
Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage).
When creating a scoped token, consider using the most limited scope possible to reduce the impact of accidentally leaking the token.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment