food-oasis
food-oasis copied to clipboard
hackforla
Strategize Security
Overview
The application has minimal security - just a registratiion and login system, a few defined authorization roles and some code in the code base that is intended to present a user with only the menu items, buttons, etc. for which he/she is authorized. We need to implement more comprehensive security practices and coding
Action Items
- [ ] Determine and document appropriate security requirements and procedures.
- [ ] Conduct an application security audit and add to these action items the steps that need to be taken. #1665
- [x] Assure all traffic to/from web site is encrypted via TLS/SSL.
- [ ] All web api endpoints need to be reviewed and tested for appropriate level of authentication and authorization.
- [ ] All client-side routes need to re-direct to the login page if an attempt is made to access a url that should be inaccessible to the user.
- [ ] UI elements for navigated to unauthorized actions should be hidden or disabled.
- [ ] Define issues for designers, developers and analysts to implement these practices.
Resources/Instructions
@entrotech What is your assessment of what this work would entail given the current status of the project; as this issue was created in April 2020 and there have been many changes since then, are the Action Items identified in the Overview still applicable?
Adding to Questions/ In Review as I believe Security should be prioritized. But work needs to be reassessed and new issue created, as the original proposed tasks may be stale and not applicable to the current environment.
@entrotech Following up- how should we be thinking about security on our site right now? Are the questions in the Overview still relevant considering the issue was created in April 2020?
Moving this to the Waiting column. I would like to consider this in a more cohesive way, as there are some separate issues regarding performance and security that should be built into a more strategic process.