diff options
Diffstat (limited to 'doc/security/token_overview.md')
| -rw-r--r-- | doc/security/token_overview.md | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md index fb4fb71356a..cb01c7d5160 100644 --- a/doc/security/token_overview.md +++ b/doc/security/token_overview.md @@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w type: reference --- -# GitLab Token overview **(FREE)** +# GitLab Token overview **(FREE ALL)** This document lists tokens used in GitLab, their purpose and, where applicable, security guidance. @@ -178,7 +178,7 @@ This table shows available scopes per token. Scopes can be limited further on to 1. When creating a scoped token, consider using the most limited scope possible to reduce the impact of accidentally leaking the token. 1. When creating a token, consider setting a token that expires when your task is complete. For example, if performing a one-off import, set the token to expire after a few hours or a day. This reduces the impact of a token that is accidentally leaked because it is useless when it expires. -1. If you are recording a video that might contain a sensitive secret like a personal access token (PAT), feed token, or trigger token, you must mask that secret before uploading the video to GitLab Unfiltered or any other video hosting service. As an additional defense-in-depth security measure, you must revoke those secrets before you share the video publicly. For more information, see [revoking a PAT](../user/profile/personal_access_tokens.md#revoke-a-personal-access-token). +1. If you have set up a demo environment to showcase a project you have been working on and you are recording a video or writing a blog post describing that project, make sure you are not leaking sensitive secrets (for example a personal access token (PAT), feed token or trigger token) during that process. If you have finished the demo, you must revoke all the secrets created during that demo. For more information, see [revoking a PAT](../user/profile/personal_access_tokens.md#revoke-a-personal-access-token). 1. Adding access tokens to URLs is a security risk, especially when cloning or adding a remote because Git then writes the URL to its `.git/config` file in plain text. URLs are also generally logged by proxies and application servers, which makes those credentials visible to system administrators. Instead, pass API calls an access token using headers like [the `Private-Token` header](../api/rest/index.md#personalprojectgroup-access-tokens). @@ -189,7 +189,6 @@ This table shows available scopes per token. Scopes can be limited further on to Consider an approach such as [using external secrets in CI](../ci/secrets/index.md). 1. Do not log credentials in the console logs or artifacts. Consider [protecting](../ci/variables/index.md#protect-a-cicd-variable) and [masking](../ci/variables/index.md#mask-a-cicd-variable) your credentials. -1. If you have set up a demo environment to showcase a project you have been working on and you are recording a video or writing a blog post describing that project, make sure you are not leaking sensitive secrets during that process. If you are done with the demo, you must revoke all the secrets created during that demo. 1. Review all active access tokens of all types on a regular basis and revoke any that are no longer needed. This includes: - Personal, project, and group access tokens. - Feed tokens. |