Passwords
cross-posted from: https://infosec.pub/post/10262373 > Question for people willing to visit Cloudflare sites: > > How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication. > > Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?
[eff.org/what-is-a-passkey](https://www.eff.org/what-is-a-passkey) via [@eff](https://mastodon.social/users/eff)