aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--readme.md20
1 files changed, 20 insertions, 0 deletions
diff --git a/readme.md b/readme.md
index 6fab8d8..1508142 100644
--- a/readme.md
+++ b/readme.md
@@ -182,6 +182,26 @@ thread-local global variables.
182* SQL injections are prevented by using proper query parameters substitution, 182* SQL injections are prevented by using proper query parameters substitution,
183 automatically handled by the embrace and psycopg libraries. 183 automatically handled by the embrace and psycopg libraries.
184 184
185* Passwords are salted and hashed when stored in the database to ensure some
186 minimal protection of the [data at rest]. The hashing is handled by the
187 [passlib] library, which also covers algorithm migrations.
188
189* Cross-Site Request Forgery ([CSRF]) attacks are mitigated through the
190 conjunctive use of POST requests for user actions and [SameSite] restrictions
191 for session cookies. (_note: this will become a sufficient protection only
192 when support in browsers will become ubiquitous_).
193
194* In its current state, the application does not implement any kind of rate
195 limiting. Such restriction would be needed for real world applications in
196 order to mitigate account password brute-force attacks, but also to prevent
197 users from avoiding transfer fees by sending many small unbilled
198 transactions.
199
200[data at rest]: https://en.wikipedia.org/wiki/Data_at_rest
201[passlib]: https://passlib.readthedocs.io/en/stable/
202[CSRF]: https://owasp.org/www-community/attacks/csrf
203[SameSite]: https://owasp.org/www-community/SameSite
204
185 205
186## Development environment 206## Development environment
187 207