Hello,
First question: Is it accurate to state the security for an account with and A2A alias is dependent on three things:
- The correct Alias identifier used in the API call
- The path of the script making the API call
- The hostname of the server of the API call
We have at least identified the possibility of a root user being able impersonate a legitimate API call.
We would like to understand what a good implementation looks like that protects the A2A API from attack.