|
|
|
|
|
|
by throwitaway1123
619 days ago
|
|
|
> if your email provider attempts to scan urls to see where they actually go you end up giving them an auth token One way you can handle this is to place the token in the hash portion of the url (which doesn't get sent to servers during an HTTP request), and then have JS on the frontend send the token to your backend manually. As long as the email provider isn't scanning links via a headless browser that executes JS, this should work. I agree with your point about email abuse though (although you still have to prevent bots from abusing email based password resets). |
|
|