You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The WHIP `POST` response includes TURN server credentials in plaintext inside the `Link` HTTP response header. While this is RFC-compliant WHIP behavior, it creates risk when `WHIP_AUTH_KEY` is not enforced, as any caller can retrieve TURN credentials without authentication.
Affected File
`src/api_whip.ts` (~line 238)
`src/utils.ts` (~line 42)
Current Behavior
HTTP/1.1 201 Created
Link: <turn:turn.example.com>; rel="ice-server"; username="username"; credential="<plaintext-password>"; credential-type="password"
This header is visible to:
Any unauthenticated caller when `WHIP_AUTH_KEY` is not set
Use short-lived TURN credentials (TURN REST API / time-limited HMAC credentials) rather than long-lived shared secrets. Short-lived credentials expire after minutes, limiting the blast radius if credentials leak.
Log a startup warning if `TURN_USERNAME`/`TURN_CREDENTIAL` are set but `WHIP_AUTH_KEY` is not set.
Severity
Low — RFC-compliant behavior; risk is mitigated when WHIP auth is enforced. However, long-lived credentials in headers are a hygiene concern.
Summary
The WHIP `POST` response includes TURN server credentials in plaintext inside the `Link` HTTP response header. While this is RFC-compliant WHIP behavior, it creates risk when `WHIP_AUTH_KEY` is not enforced, as any caller can retrieve TURN credentials without authentication.
Affected File
Current Behavior
This header is visible to:
Recommendation
Severity
Low — RFC-compliant behavior; risk is mitigated when WHIP auth is enforced. However, long-lived credentials in headers are a hygiene concern.
Found by automated security audit.