From e6b66e5b77c548bbb19f0231b91d02510b6c1883 Mon Sep 17 00:00:00 2001 From: lee Date: Mon, 16 Mar 2020 12:09:36 +0000 Subject: [PATCH] removing somethings --- subjects/forum/forum-security.audit.en.md | 4 ++-- subjects/forum/forum-security.en.md | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md index e29e5a07f..ed3cb5589 100644 --- a/subjects/forum/forum-security.audit.en.md +++ b/subjects/forum/forum-security.audit.en.md @@ -8,7 +8,7 @@ ###### Is the Go TLS structure well configured? -###### Is the [server](https://golang.org/pkg/net/http/#Server) timeout reduced (Read, write and IdleTimeout)? (enabling attackers to take their time) +###### Is the [server](https://golang.org/pkg/net/http/#Server) timeout reduced (Read, write and IdleTimeout)? ###### Does the project implement [Rate limiting](https://en.wikipedia.org/wiki/Rate_limiting) (avoiding [DoS attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack))? @@ -22,7 +22,7 @@ ##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)). -###### Does the session cookie present a unique identifier? +###### Does the session cookie present a UUID(Universal Unique Identifier)? ###### Does the project present a way to configure the certificates information, either via .env or config files or other method? diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md index 2e54d6fbc..886d297c6 100644 --- a/subjects/forum/forum-security.en.md +++ b/subjects/forum/forum-security.en.md @@ -9,13 +9,14 @@ For this project you must take into account the security of your forum. - You should implement a Hypertext Transfer Protocol Secure ([HTTPS](https://www.globalsign.com/en/blog/the-difference-between-http-and-https)) protocol : - Encrypted connection : for this you will have to generate an SSL certificate, you can think of this like a identity card for your website. You can create your certificates or use "Certificate Authorities"(CA's) -- You should encrypt : - - Clients passwords - - Database, for this will have to create a password for your database and encrypt the communication channel. - - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. +- Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. - The implementation of [Rate Limiting](https://en.wikipedia.org/wiki/Rate_limiting) must be present on this project +- You should encrypt : + - Clients passwords + - Database, for this you will have to create a password for your database. + This project will help you learn about : - HTTPS