###### Does the database present a password for protection?
##### Try creating a user. Go to the database using the command `"sqlite3 <database-name>"` and run `"SELECT * FROM <user-table>;"` to select all users.
##### Try creating a user. Go to the database using the command `"sqlite3 <database-name>"` and run `"SELECT * FROM <user-table>;"` to select all users.
###### Are the passwords encrypted?
###### Are the passwords encrypted?
@ -13,13 +14,15 @@
##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)).
##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)).
###### Does the session cookie present a unique identifier?
###### Does the session cookie present a unique identifier?
###### Can you configure the certificates information, either via env or config file?
###### Are the allowed packages being respected?
#### General
#### General
###### +Does the project implement their own certificates for the HTTPS protocol?
###### +Does the project implement their own certificates for the HTTPS protocol?
###### +Does the project implement UUI(Universal Unique Identifier) for the user session?
###### +Does the project implement UUID(Universal Unique Identifier) for the user session?
###### +Does the project implement [environment variables](https://en.wikipedia.org/wiki/Environment_variable) (.env file), for the TLS certificates?
@ -11,7 +11,7 @@ For this project you must take into account the security of your forum.
- You should encrypt :
- You should encrypt :
- Clients passwords
- Clients passwords
- Database
- Database, for this will have to create a password for your database and encrypt the communication channel.
- Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state.
- Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state.
This project will help you learn about :
This project will help you learn about :
@ -21,12 +21,12 @@ This project will help you learn about :
- Database
- Database
- password
- password
- session/cookies
- session/cookies
- Universal Unique Identifier (UUI)
- Universal Unique Identifier (UUID)
### Hints
### Hints
- You can take a look at the `openssl` manual.
- You can take a look at the `openssl` manual.
- For the session cookies you can take a look at the [Universal Unique Identifier (UUI)](https://en.wikipedia.org/wiki/Universally_unique_identifier)
- For the session cookies you can take a look at the [Universal Unique Identifier (UUID)](https://en.wikipedia.org/wiki/Universally_unique_identifier)
### Instructions
### Instructions
@ -40,3 +40,5 @@ This project will help you learn about :
- All [standard go](https://golang.org/pkg/) packages are allowed.
- All [standard go](https://golang.org/pkg/) packages are allowed.
