Hi, I’m looking into using vault for a web application that receives secrets from the frontend and needs to store it. I think it would be appropriate to create a “write-only” policy and associate it to the application, so it can only write but not read secrets (see eg Add support for write-only policies · Issue #140 · hashicorp/vault · GitHub).
But thinking more, would this mean that anyone could use the browser’s developer tools to inspect the requests done by the application to write the secrets and replay them to write arbitrary secrets into vault? If so, is there a way to prevent this?