docs: add security remarks

author: pacien 2021-07-28 16:58:54 +0200
committer: pacien 2021-07-28 16:58:54 +0200
commit: f80c19c18eb01ed7e7c6f44cc25535c14659ba20 (patch)
tree: b2ddf79eddbe39082825d34411ec51ae705eaa30
parent: 4c4e078581532925e37cdcd47e7657295faee798 (diff)
download: uge_l2_rdbms_python_proto-f80c19c18eb01ed7e7c6f44cc25535c14659ba20.tar.gz
1 files changed, 20 insertions, 0 deletions
diff --git a/readme.md b/readme.md
index 6fab8d8..1508142 100644
--- a/readme.md
+++ b/readme.md
@@ -182,6 +182,26 @@ thread-local global variables.
 * SQL injections are prevented by using proper query parameters substitution,
  automatically handled by the embrace and psycopg libraries.
+* Passwords are salted and hashed when stored in the database to ensure some
+  minimal protection of the [data at rest]. The hashing is handled by the
+  [passlib] library, which also covers algorithm migrations.
+* Cross-Site Request Forgery ([CSRF]) attacks are mitigated through the
+  conjunctive use of POST requests for user actions and [SameSite] restrictions
+  for session cookies. (_note: this will become a sufficient protection only
+  when support in browsers will become ubiquitous_).
+* In its current state, the application does not implement any kind of rate
+  limiting. Such restriction would be needed for real world applications in
+  order to mitigate account password brute-force attacks, but also to prevent
+  users from avoiding transfer fees by sending many small unbilled
+  transactions.
+[data at rest]: https://en.wikipedia.org/wiki/Data_at_rest
+[passlib]: https://passlib.readthedocs.io/en/stable/
+[CSRF]: https://owasp.org/www-community/attacks/csrf
+[SameSite]: https://owasp.org/www-community/SameSite
 ## Development environment
author	pacien	2021-07-28 16:58:54 +0200
committer	pacien	2021-07-28 16:58:54 +0200
commit	f80c19c18eb01ed7e7c6f44cc25535c14659ba20 (patch)
tree	b2ddf79eddbe39082825d34411ec51ae705eaa30
parent	4c4e078581532925e37cdcd47e7657295faee798 (diff)
download	uge_l2_rdbms_python_proto-f80c19c18eb01ed7e7c6f44cc25535c14659ba20.tar.gz

diff --git a/readme.md b/readme.md index 6fab8d8..1508142 100644 --- a/readme.md +++ b/readme.md
@@ -182,6 +182,26 @@ thread-local global variables.
182	* SQL injections are prevented by using proper query parameters substitution,	182	* SQL injections are prevented by using proper query parameters substitution,
183	automatically handled by the embrace and psycopg libraries.	183	automatically handled by the embrace and psycopg libraries.
184		184
		185	* Passwords are salted and hashed when stored in the database to ensure some
		186	minimal protection of the [data at rest]. The hashing is handled by the
		187	[passlib] library, which also covers algorithm migrations.
		188
		189	* Cross-Site Request Forgery ([CSRF]) attacks are mitigated through the
		190	conjunctive use of POST requests for user actions and [SameSite] restrictions
		191	for session cookies. (_note: this will become a sufficient protection only
		192	when support in browsers will become ubiquitous_).
		193
		194	* In its current state, the application does not implement any kind of rate
		195	limiting. Such restriction would be needed for real world applications in
		196	order to mitigate account password brute-force attacks, but also to prevent
		197	users from avoiding transfer fees by sending many small unbilled
		198	transactions.
		199
		200	[data at rest]: https://en.wikipedia.org/wiki/Data_at_rest
		201	[passlib]: https://passlib.readthedocs.io/en/stable/
		202	[CSRF]: https://owasp.org/www-community/attacks/csrf
		203	[SameSite]: https://owasp.org/www-community/SameSite
		204
185		205
186	## Development environment	206	## Development environment
187		207