Skip to content

Security: TURN server credentials transmitted in plaintext HTTP Link response header #251

Description

@LucasMaupin

Summary

The WHIP `POST` response includes TURN server credentials in plaintext inside the `Link` HTTP response header. While this is RFC-compliant WHIP behavior, it creates risk when `WHIP_AUTH_KEY` is not enforced, as any caller can retrieve TURN credentials without authentication.

Affected File

  • `src/api_whip.ts` (~line 238)
  • `src/utils.ts` (~line 42)

Current Behavior

HTTP/1.1 201 Created
Link: <turn:turn.example.com>; rel="ice-server"; username="username"; credential="<plaintext-password>"; credential-type="password"

This header is visible to:

  • Any unauthenticated caller when `WHIP_AUTH_KEY` is not set
  • Any network observer if HTTPS is not enforced

Recommendation

  1. Ensure `WHIP_AUTH_KEY` is always required when TURN credentials are configured — see also Security: WHIP/WHEP authentication bypassed when WHIP_AUTH_KEY env var is not set #223.
  2. Use short-lived TURN credentials (TURN REST API / time-limited HMAC credentials) rather than long-lived shared secrets. Short-lived credentials expire after minutes, limiting the blast radius if credentials leak.
  3. Log a startup warning if `TURN_USERNAME`/`TURN_CREDENTIAL` are set but `WHIP_AUTH_KEY` is not set.

Severity

Low — RFC-compliant behavior; risk is mitigated when WHIP auth is enforced. However, long-lived credentials in headers are a hygiene concern.


Found by automated security audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions