AWS AWSCloudFormation medium security documentation change
Summary
Clarified allowed HTTP callback URLs to include 127.0.0.1 and ::1 with custom ports, and formatted code examples
Security assessment
The change explicitly restricts insecure HTTP usage to specific localhost variants and emphasizes testing purposes only. This clarifies security boundaries for callback URLs, reducing potential misconfigurations that could expose credentials or tokens over insecure channels.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md index 4a7cbc5d5..296dbf3c9 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md @@ -231 +231 @@ See [OAuth 2.0 - Redirection Endpoint](https://tools.ietf.org/html/rfc6749#secti -Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. +Amazon Cognito requires HTTPS over HTTP except for callback URLs to `http://localhost`, `http://127.0.0.1` and `http://[::1]`. These callback URLs are for testing purposes only. You can specify custom TCP ports for your callback URLs. @@ -233 +233 @@ Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing -App callback URLs such as myapp://example are also supported. +App callback URLs such as `myapp://example` are also supported.