Commit a536dd27 authored by Nick Malcolm's avatar Nick Malcolm Committed by Evan Read

Add & update security considerations for PATs

parent 1c1a006d
...@@ -117,4 +117,9 @@ Instead, API calls can be passed an access token using headers, like [the `Priva ...@@ -117,4 +117,9 @@ Instead, API calls can be passed an access token using headers, like [the `Priva
Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage). Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage).
Tokens should not be committed to your source code. Instead, consider an approach such as [using external secrets in CI](../ci/secrets/index.md).
When creating a scoped token, consider using the most limited scope possible to reduce the impact of accidentally leaking the token. When creating a scoped token, consider using the most limited scope possible to reduce the impact of accidentally leaking the token.
When creating a token, consider setting a token that expires when your task is complete. For example, if performing a one-off import, set the
token to expire after a few hours or a day. This reduces the impact of a token that is accidentally leaked because it is useless when it expires.
...@@ -62,6 +62,10 @@ to the URL. For example: ...@@ -62,6 +62,10 @@ to the URL. For example:
https://gitlab.example.com/-/profile/personal_access_tokens?name=Example+Access+token&scopes=api,read_user,read_registry https://gitlab.example.com/-/profile/personal_access_tokens?name=Example+Access+token&scopes=api,read_user,read_registry
``` ```
WARNING:
Personal access tokens must be treated carefully. Read our [token security considerations](../../security/token_overview.md#security-considerations)
for guidance on managing personal access tokens (for example, setting a short expiry and using minimal scopes).
## Revoke a personal access token ## Revoke a personal access token
At any time, you can revoke a personal access token. At any time, you can revoke a personal access token.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment