Details
-
Improvement
-
Resolution: Done
-
Critical
-
3.0.2
-
None
-
Platform.sh
-
[3.2] - Sprint 2
Description
On Platform.sh varnish is purged using a token. This token used to have a random value by default, unless other value was specified.
https://github.com/ezsystems/ezplatform/blob/master/config/packages/overrides/platformsh.php#L142
But now we have a default value for HTTPCACHE_VARNISH_INVALIDATE_TOKEN in .env file (https://github.com/ezsystems/ezplatform/blob/master/.env#L55) and it's used instead when deploying to Platform.sh
Summary:
Default value of Varnish purge token in the past:
It was based on $_SERVER['PLATFORM_PROJECT_ENTROPY'] value
Default value of Varnish purge token now:
It's equal to the value specified in .env, which is ~.
I believe it can be confusing for people who are used to "secure" default values (and do not configure their own), which can lead to issues such as https://jira.ez.no/browse/EZP-31353 (because people will be using the ~ token).
We're treating this as a security improvement, not a bug, since it's about default values, which project admins are expected to change in any case.