ID header check vulnerable to timing attack

## Summary
In `internal/middleware/headers.go:13`, `CheckIDHeader` compares the shared secret using `!=` which is not constant-time:

```go
if idHeaderValue != id {
```

This allows timing side-channel attacks to brute-force the secret value one character at a time by measuring response latency.

## Suggested Fix
Use `crypto/subtle.ConstantTimeCompare`:

```go
import "crypto/subtle"

if subtle.ConstantTimeCompare([]byte(idHeaderValue), []byte(id)) != 1 {
```

Comparison time will then be constant regardless of how many characters match.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ID header check vulnerable to timing attack #48

Summary

Suggested Fix

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

ID header check vulnerable to timing attack #48

Description

Summary

Suggested Fix

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions