Contentful Content Management personal access token
ID |
contentful_management_apikey |
Severity |
high |
Vendor |
Contentful |
Family |
API Token |
Description
Contentful is a headless content management system where you can update the content of your website, a mobile app or any other platform that displays content.
Contentful’s Content Management API (CMA) helps you manage content in your spaces.
Security
Any hardcoded Contentful personal access token is a potential secret reported by this detector.
Inadvertently leaking a Contentful CMA personal access token can give attackers access to your Contentful account, giving them the same rights as the account owner.
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the token and creating a new one. Personal tokens are created and revoked in the CMA tokens admin view:
-
Go to the Contentful web app:
-
Log in to the Contentful web app.
-
Open the space that you want to access using the space selector in the top left.
-
Click
Settingsand selectCMA tokensfrom the drop-down list. -
Click
Create personal access token. The Create personal access token window is displayed. -
Enter a custom name for your personal access token and click Generate. Your personal access token is created.
-
Copy your personal access token to clipboard.
-
-
Remove the CMA personal access token from the source code or committed configuration file. Do not hardcode the new token again! Instead, replace it with the new token using a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets.
-
(Optional) If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |