-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening the RAP4 application #20
Comments
Currently, the storage of passwords is secure enough, even though they are stored literally in the database. The reason is that the database resides entirely in a container. The only ways of getting information from that database are:
Having said that, I would still like to see passwords to be removed completely. |
I guess that could be done by calling a (secure) hashfunction in the |
@Michiel-s is contemplating the prevention of SQL injections by using so-called 'prepared statements'. The idea is to send the query to the SQL server in two stages. In the first stage, the 'code' is sent (using placeholders for variables), and in the second, only the variables are sent, which allows the server to do whatever is necessary. |
W.r.t. SSL/https, this has nothing to do with Ampersand or the prototype generator. All it takes is a proper configuration of the webserver you are running and a valid server certificate installed on the webserver. You can get such certificates for free, online, at https://www.sslforfree.com/. You can even configure the stuff such that the certificate (that lives for a few months) is regularly renewed. |
W.r.t. the task list item "Do not give access to web-pages by hand-tweaking of URLs", it would be nice to be a bit more precise as to what you mean. Given only this text, my 2c would be that every RAP interface should start with an expression that only shows stuff for legit users. |
…esources_cronjob Feature/delete student resources cronjob
…actions-to-generate-docker-images Issue/279 create GitHub actions to generate docker images
The RAP3 application is currently live on URL http://rap.cs.ou.nl/RAP3. It has been built without much consideration of application security. That makes this issue more of an Epic than an issue. Let us start by thinking about the hardening required, making a list of measures and the reasons for wanting them. I have asked @hljonker (Hugo Jonker) to help us with this, so I added him to the team. I expect each item on the following task list to become an issue before we fix the issue. That creates room for sustainable solutions that affect future applications as well.
AMPERSAND_PRODUCTION_MODE=true
by typing the URL for installing the database directly into the browser.)Since we have a working RAP3 repository installed at http://52.174.4.78/RAP3/ we can start thinking about consolidating the security measures required for rule repositories.
TODO list
Since we have a working RAP3 repository installed at http://52.174.4.78/RAP3/ we can start thinking about consolidating the security measures required for rule repositories.
The text was updated successfully, but these errors were encountered: