11
knowing when to trust a login page on a Cloudflare site
(infosec.pub)
submitted
5 months ago* (last edited 5 months ago)
by
coffeeClean@infosec.pub
to
c/cybersecurity@infosec.pub
Question for people willing to visit Cloudflare sites:
How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication.
Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?