Arya Bahnken
Arya Bahnken
I don't think you can encrypt that secret in that way, as you will need it to authenticate them. `valid := totp.Validate(passcode, key.Secret())` I believe you will want to just...
@elimisteve Could we get our hands on servers with an HSM?
Since it is all e2e encrypted, you are going to want to sanitize on output. The linked to `sanitize.js` looks good, but I'd limit the whitelist even more imo.
cure53 is damn legit and DOMPurify is under active development. Also has a paid bug bounty associated with it (https://github.com/cure53/DOMPurify#what-if-i-find-a-bypass). Seems awesome.
I need to review this more in-depth, but I'd say we go for feature parity with https://github.com/twitter/secureheaders - and it looks like you have that already (or nearly).
Two missing from gosecure that are in secureheaders: ``` X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none ``` X-Download-Options - IE8 specific - http://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions X-Permitted-Cross-Domain-Policies - Specific to Flash and PDF's - https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xpcdp
:) Sounds good. I'd love to see if there are anymore I missed that are worth adding.
I do like the idea of using containers to run the application, so even if we don't opt to do it now, I'd say we put it on the backlog....
@longears Thanks