Add API Keys for fzf --listen (#3374)

1 files changed, 12 insertions, 1 deletions

diff --git a/man/man1/fzf.1 b/man/man1/fzf.1
index 15c8ca6d..34024685 100644
--- a/man/man1/fzf.1
+++ b/man/man1/fzf.1
@@ -772,7 +772,9 @@ Start HTTP server on the given port. It allows external processes to send
 actions to perform via POST method. If the port number is omitted or given as
 0, fzf will choose the port automatically and export it as \fBFZF_PORT\fR
 environment variable to the child processes started via \fBexecute\fR and
-\fBexecute-silent\fR actions.
+\fBexecute-silent\fR actions. If \fBFZF_API_KEY\fR environment variable is
+set, the server would require sending an API key with the same value in the
+\fBx-api-key\fR HTTP header.
 
 e.g.
      \fB# Start HTTP server on port 6266
@@ -781,6 +783,10 @@ e.g.
      # Send action to the server
      curl -XPOST localhost:6266 -d 'reload(seq 100)+change-prompt(hundred> )'
 
+     # Start HTTP server on port 6266 and send an authenticated action
+     export FZF_API_KEY="$(head -c 32 /dev/urandom | base64)"
+     curl -XPOST localhost:6266 -H "x-api-key: $FZF_API_KEY" -d 'change-query(yo)'
+
      # Choose port automatically and export it as $FZF_PORT to the child process
      fzf --listen --bind 'start:execute-silent:echo $FZF_PORT > /tmp/fzf-port'
      \fR
@@ -800,6 +806,11 @@ this case make sure that the command is POSIX-compliant.
 .TP
 .B FZF_DEFAULT_OPTS
 Default options. e.g. \fBexport FZF_DEFAULT_OPTS="--extended --cycle"\fR
+.TP
+.B FZF_API_KEY
+Can be used to require an API key when using \fB--listen\fR option. If not set,
+no authentication will be required by the server. You can set this value if
+you need to protect against DNS rebinding and privilege escalation attacks.
 
 .SH EXIT STATUS
 .BR 0 "      Normal exit"