This is great news.<p>I love thinking about exploit scenarios that remain.<p>Very niche, but attackers on a LAN or in the path to cloudflare's edge servers probably have a small window to still exploit this.<p>In my case, I have about 25 millis before the RST packet arrives from CF:<p>ip=$(getent ahosts api.cloudflare.com | awk '$1 ~ /^[0-9.]+$/ { print $1; exit }') && time bash -c "exec 3<>/dev/tcp/$ip/80"<p>(Long command because I wanted to separate the DNS resolution time from the time it takes to send a SYN and then get the RST)<p>An attacker observing network traffic for a SYN could spoof a single ACK and then quickly capture the Request HTTP headers including the auth payload. Often that fits in the first packet.<p>Another niche idea/risk: TCP Fast Open might also provide an avenue for the HTTP data to get sent before the CF's RST packet is sent, too. I imagine TFO would apply because any connection (even an https one) would have established TFO with api.cloudflare.com, and then one single accidental hit to http instead of https may include payload regardless of the RST? Hmm.