Another question about Fleet Desktop. What sort of security auditing has been done on its communication with Fleet? We have Fleet behind a WAF to limit admin activities to known exit IPs, but if we want users to view their device information we'd need to also safelist the `/devices`` path.

It is relying on the UUID. Since those are fairly unlikely to be cracked quickly, we've got things set up to rate limit the IP if there are multiple failed authentication attempts.

Hi Jason! So we have rate limiting on this (just added in 4.18), it is read-only and hard to guess, so with rate limiting it’s decent, BUT, we also want to add rotation because what if it was leaked in some way (user pastes it publicly accidentally or voluntarily etc). You can check these issues about rotation of the URL - https://github.com/fleetdm/fleet/issues/6064 and https://github.com/fleetdm/fleet/issues/6348 which will be documented publicly as well - https://github.com/fleetdm/fleet/issues/6993

wow - thanks all!

That's going to continue to evolve moving forward.... and @Guillaume beat me to it.

hopefully we can also put some WAF rules to reduce abuse as well

Since it’s pretty much just a read-only page it should be possible to do so without breaking anything, even with fairly aggressive rules

if I can just ban crawlers and known bad IPs I'm probably fine. I can see it being a decent recon tool though for some really targeted attacks

Yeah that's why the rate limiting and rotation is required in our opinion