Several measures to enhance security

Because it is about user privacy data, I hope nextdns should be able to do better in account security protection.

1. Add a button to close the API KEY.
Not everyone needs API KEY, but if this API KEY is leaked, malicious users will be able to get the log information of the domains that have been visited by users at will, and what's worse, users can't even know when the API KEY is known by others (may be caused by forgetting to quit the account, etc.). So, I hope we can give users an option to decide whether to enable this feature which has some risks.

2. Add a button to reset (regenerate) the API KEY
When you have to use an API feature, but clearly know that the previous API KEY has been compromised, the best way is to regenerate an API KEY, so hopefully NextDNS will support this feature, which is also a way to ensure a more secure API KEY

3. Display the number and information of currently logged in sessions
Users need to know what time, what IP, and what terminal their account is logged into, as many cookie stealing methods are now able to mimic the user's login without their knowing. It would also be nice to support the ability to kick out of a login session, or have a feature called "log out of devices other than this one"


For example, the infamous "CloudBae Big Data Industry Development Co.", a hacking company with an official background in China, was able to steal and monitor users' online behavior with the help of government-controlled telecommunications companies

3replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • There are two other ideas which can improve security:

    Email Notifications
    "I would be nice if you could enable the option to receive an email alert on successful login."

    U2F Security Key (YubiKey) support

    • servilo If someone else uses my API KEY to get log information, will I get an alert email in my email? There seems to be no way for a user to know if someone has used his API KEY to query log information. For example, I logged into nextdns and my colleague knew my API KEY without my knowledge, does that mean that thereafter he can get my log information at will through the API without my knowledge at all?

  • I've recently suffered some insider-assisted security incident. It was VERY obvious I used nextdns. I've since changed the password and 2fa, but, the API Key, I cannot change, remove, deactivate, nothing, nada, niente.

Like9 Follow
  • 3 wk agoLast active
  • 3Replies
  • 181Views
  • 5 Following