hyperium/http

Clear contents of sensitive header values on drop

Opened this issue · 2 comments

Since sensitive data can be stored in headers (i.e. credentials in an Authorization header), it would be nice for the value to be "zero-ed out" when they are dropped so as to not leave their data in memory. This is difficult as HeaderValue stores its contents in Bytes, but I think it would be possible to add a try_as_mut(&mut self) -> Option<&mut [u8]> method to Bytes to accomplish this.

I am fully willing to implement this myself, and have already started work towards that in tokio-rs/bytes#643, but I thought it good to make sure this goal is something you'd be interested in before continuing.

I don't think this is currently something we should try to promise. The point of the sensitive flag is as a hint so the value does not get stored in the h2/h3 dynamic table. It's not meant to be a comprehensive secret container.

I don't mean this as an explicit promise, more as a "better safe than sorry" implementation detail. An alternative is to still try to get try_as_mut into bytes, then create a Bytes value that I give to http and zeroize it myself. Other than that, I'm not sure how to securely include credentials.