[dgivney]

Sharing your key seems like the most 90s approach to system design.

"Only you and the search engines should know the key.. so obviously, we want you to host it in plain text, in the root directory."

[rstupek]

The key appears to not be a fixed value so unless your server allows directory scans it seems reasonably secure?

[dgivney]

I agree, in a 90s system design meeting - security through obscurity is reasonably secure.

[zhfliz]

without referring to this particular case, how is `/.well-known/LsyrYyZGDMMPwS1lAUS7qXo7c81XLaxPeRrSZdSReFk5zPaJaD` less secure than `/.well-known/key` requiring an `Authorization: LsyrYyZGDMMPwS1lAUS7qXo7c81XLaxPeRrSZdSReFk5zPaJaD` header?

[JimDabell]

URLs are logged in all kinds of places, they end up everywhere. Authorization headers are not.

[zhfliz]

that's a good point, although it wouldn't make a difference from the outside perspective.

it is however much easier to serve static content than evaluating headers. the benefit of significantly increased compatibility in how you can serve the content probably outweighs the risk of logging the secret in many cases, as static content serving is compatible with virtually anything, adding additional logic to be evaluated at runtime through other means than URL contents is not as widely supported.