Analyze SOP, XSS, and CSS security of website.

[nathan-at-least]

Synopsis

We analyze the risk posed by CSRF, XSS, SQL injection and other common attacks on the public website.

By "analyze the risk" I don't mean hunt for those kinds of vulnerabilities, I mean, assume they exist and ask ourselves "what does a customer or the LA org rely on from the website which would be subverted should X vulnerability exist?'

Close Criteria

Reliance Documentation - Document which reliances would be violated by:

• Malicious JavaScript - served from each leastauthority.com domain.
• Malicious JavaScript - served from another domain.
• CSRF vulnerability - Can any authority-carrying request be made without a secret which limits the scope of that request?

Website Policy Proscription - Document which assumptions should not be violated by changes to the website.

This is Important! We need to document in the leastauthority.com repository README or somewhere else impossible to miss which kinds of changes to the website would alter these assumptions. Such changes should be forbidden without careful consideration.

The documentation should be such that if we hire a new devops and then before their first day, we all quit or disappear, then when they start, they won't accidentally violate the assumptions. ;-)

[zookoatleastauthoritycom]

Not necessary for Reset-The-Net launch.

[Liz315]

Is this still applicable?

[Liz315]

We still should do this.