Every rejection leaves a trail, persistent log of rejected attempts
A rejection is data. Until last week we were throwing it away.
If an attacker submitted a forged signature against the public verify endpoint, we returned 404 signature_not_found and that was the entire footprint. Same for a cross-org access attempt ...
asqav.hashnode.dev2 min read