Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are you sure they have full access to your TLS certificates? Or can't you bring your own in this case?


They host the website thus they can inject anything anywhere in the body before https kicks in.


It depends how the code is being injected. If they’re using a an output filter on the web server, they could do it before the encryption stage.

See http://nginx.org/en/docs/http/ngx_http_sub_module.html & https://httpd.apache.org/docs/2.4/filter.html




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: