-
Notifications
You must be signed in to change notification settings - Fork 0
Security Issues
IP addresses/Emails: Only viewable by the user and admin. Admins will have a specific API for looking at user data. Passwords: Passwords will be hashed with BCrypt so only the user knows what it is. If the password is compromised it will not be useful. However, the password can be reset by an admin or the user.
Identify possible attack vectors, that is, ways malicious users could try to use your software to escalate their privileges. This includes root access to your server, access to other user's sensitive information (say via XSS attacks), root access to your database, etc. Explain protection plan.
MySQL Injection: Sanitizing user requests, no direct queries from user input
XSS: Sanitizing user requests, encoding data responses, proper content headers, using Content Security Policies. https://portswigger.net/web-security/cross-site-scripting#how-to-prevent-xss-attacks
Unauthorized spam injection: Ensuring unauthorized queries are rejected and ensuring proper user identification (all entities are properly associated with their creator... allowing for quick deletion)
Password Brute-forcing/Rainbow table: Using Captcha for login and limiting user requests.
Google Cloud compromise: Ensuring all certificates and user logins are secure and not publically available. All Google Cloud accounts should have 2-factor authentication. See more: https://cloud.google.com/security/best-practices
Directory traversing: Throwing 404 errors on folders, pages outside of user roles, and on deleted resources. Logging unauthorized or bot-like behavior.
Cross Site Request Forgery (CSRF): Proper API design to avoid URL/HTTP request flaws, use form keys, check 'Referer' header in HTTP requests, use a hash for all forms.
DDoS Attacks: Refuse requests from bad IP's, unexpected geography, IP's making too many requests too quickly. Collect traffic data to identify and prevent other malicious connections. Prioritize most important functions to keep online in case of an attack.
Since users will be creating accounts with sensitive data, we need to ensure their privacy. Especially if we decide to use a third-party app/website down the road, this will be useful since they usually require a privacy policy. We will be using https://www.privacypolicies.com/privacy-policy-generator/ to generate a privacy policy for our app. A good thing about this particular privacy policy generator is that it does not seem to be complicated! This will help our users to be notified of how their data will be used/collected and to have security while using our app.