From 6cc170011bd0bdd35796e961d12ecdd836683542 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Sat, 16 Dec 2023 13:04:05 +0800 Subject: [PATCH] Update docs for DISABLE_QUERY_AUTH_TOKEN (#28485) (#28488) Backport #28485 by @kdumontnu As described [here](https://github.com/go-gitea/gitea/pull/28390#issuecomment-1857553331). Co-authored-by: Kyle D (cherry picked from commit 2c2e00899d55f9b391ef91470177ac0aa19fdd38) --- docs/content/administration/config-cheat-sheet.en-us.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index 0e6b1994bb..37b3d7e966 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -573,6 +573,7 @@ And the following unique queues: - off - do not check password complexity - `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed. - `SUCCESSFUL_TOKENS_CACHE_SIZE`: **20**: Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security. +- `DISABLE_QUERY_AUTH_TOKEN`: **false**: Reject API tokens sent in URL query string (Accept Header-based API tokens only). This setting will default to `true` in Gitea 1.23 and be deprecated in Gitea 1.24. ## Camo (`camo`)