restinio icon indicating copy to clipboard operation
restinio copied to clipboard

Published 20 hours ago verified publisher icon Stiffstream

Restinio Security

Open KaungZawHtet opened this issue 4 years ago • 3 comments

How is security preparation for both of maintainers and restinio users ? I hope some security advice with restinio specific code in your documentation. I found this link : https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html and I hope you can use it for security advising doc in terms of that list.

In php world, here is some notable security advice of yii2 framework maintainers with yii2 specific codes : https://www.yiiframework.com/doc/guide/2.0/en/security-overview

Thank you for your restinio.

KaungZawHtet avatar Jun 28 '20 12:06 KaungZawHtet

Thanks for the interesting link.

I think there are several levels where security can and should be provided:

  • the first and the lowest level is the correct and reasonable behavior in the case of wrong/damaged or specially formed input. There we are relying on the quality of http_parser that is battle-tested in various conditions (I hope);
  • the second level is the behavior of the RESTinio library in some corner cases. For example, RESTinio controls various timeouts and automatically drops connections without any activity (or very slow ones);
  • the third level is the behavior of an application built on the top of RESTinio. Like usage of JWT or exposure of some sensitive information via URL.

Your reference almost completely related to the third level.

But at the current moment of RESTinio's evolution, our main task is to provide an appropriate quality for the first two levels. It's because we don't have plans to make RESTinio too high-level framework (like Oat++, for example) where most of the operations will be hidden from a user. With RESTinio a user has to describe routes and route parameters by his/herself. A user makes the decision about authentication schemes and related things. And so on.

So he/she can use any reasonable security recommendations like the one mentioned by you.

RESTinio is intended to make things simple, but not to hide all the details from a user. We want to add some features that can simplify a task for a user (like optional tools for limitation of request rate from an IP). But those tools will be just helpers. And a user will have to turn them on by his/herself.

eao197 avatar Jun 30 '20 18:06 eao197

Is it feasible/possible to use HTTPS (aka TLS) with RESTinio? If so, how?

mouse07410 avatar Oct 15 '20 16:10 mouse07410

@mouse07410

Docs: https://stiffstream.com/en/docs/restinio/0.6/tls.html Example 1: https://github.com/Stiffstream/restinio/blob/v.0.6.10/dev/sample/hello_world_https/main.cpp Example 2: https://github.com/Stiffstream/restinio/blob/v.0.6.10/dev/sample/tls_inspector/main.cpp

eao197 avatar Oct 15 '20 17:10 eao197