Tighten local FS permissions around CA private key

This isn't an impactful issue, since user profile dir permissions will generally block access anyway, but it's good practice to keep this limited where possible (and good defense-in-depth generally)
httptoolkit · Jun 21, 2024 · 80035cb · 80035cb
1 parent 9822ae3
commit 80035cb
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/index.ts b/src/index.ts
@@ -56,7 +56,9 @@ async function generateHTTPSConfig(configPath: string) {
 
         return Promise.all([
             writeFile(certPath, newCertPair.cert).then(() => newCertPair.cert),
-            writeFile(keyPath, newCertPair.key)
+            writeFile(keyPath, newCertPair.key, {
+                mode: 0o600 // Only readable for ourselves, nobody else
+            })
         ]);
     });