Re: Revised Web UI for NPF as a GSoC project

To: Aleksej Saushev <asau%inbox.ru@localhost>
Subject: Re: Revised Web UI for NPF as a GSoC project
From: Mateusz Kocielski <shm%digitalsun.pl@localhost>
Date: Tue, 15 Mar 2016 09:20:59 +0000

On Tue, Mar 15, 2016 at 12:48:29AM +0300, Aleksej Saushev wrote:
> coypu%SDF.ORG@localhost writes:

> > Feedback needed:
> >
> > Security:
> > It seems like there's a big need for security. I've learned of one
> > attack called cross-site request forgery. Seems like the way to tackle
> > it is an awkward dance with embedding tokens in forms.
> > I can already see that Sailor (other Lua framework)'s authentication
> > scheme doesn't handle this...
> >
> > Are there other such concerns?
> 
> I would try to avoid this. It is tricky thing that requires investing
> a lot more time that you have. Not that you may write without any
> thought about security, yet don't put too much effort into it.

It shouldn't be difficult to implement CSRF to any framework (which has
reasonable API). I think you should get familiar with this projects before
you start:
 
 * https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 * https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

If you encounter any problems with web security then ping me, I think I'd be
able to help since it's part of my $DAYJOB.

 Best Regards,
 Mateusz Kocielski

References:
- Revised Web UI for NPF as a GSoC project
  - From: coypu
- Re: Revised Web UI for NPF as a GSoC project
  - From: Aleksej Saushev

Prev by Date: Re: Google summer code 2016 project ideas
Next by Date: Proposal for several minor changes to sh
Previous by Thread: Re: Revised Web UI for NPF as a GSoC project
Next by Thread: Proposal for several minor changes to sh
Indexes:

Home | Main Index | Thread Index | Old Index