wasteof.money
wasteof.money copied to clipboard
jeffalo
Secuwity issues! ^w^
Disclaimer: robotop uwufied the title. Not me.
Ok, so basically there are a few of security issues. They're not really vulnerabilities, and they're not major, so I shpuld be fine disclosing them to the public.
- We should enforce https so that hackers can't steal people's passwords and hack them.
- Not really a security issue, but we should limit passwords to 72 chars as that's bcrypt's limit apparently.
- We should make users choose strong passwords. That means enforcing length i.e. at least 8 characters, and providing a How Strong Is You Password? type thing to encourage people to choose strong passwords, though only length should be enforced on the server (probably)
- This is probably worth another issue on its own, but we should consider checking usernames in constant time, which basically means that it should take the same time to respond to a username that does exist as for one that doesn't exist. This is really difficult to get right,and apparently facebook, twitter and most other companies do it wrong.
That's your security rundown for today, hosted by a pufferfish as the usual apple's trying to find a security vulnerability in fake python. Thankyou, and good night.
- Not in this repo
Wdym by that? You can easily enforce https with express.
app.use(function(request, response, next) {
if (process.env.NODE_ENV != 'development' && !request.secure) {
return response.redirect("https://" + request.headers.host + request.url) } next()})
}
next()
})
Would this work in our scenario?
app.use(function(request, response, next) { if (process.env.NODE_ENV != 'development' && !request.secure) { return response.redirect("https://" + request.headers.host + request.url) } next()}) } next() })Would this work in our scenario?
Yes, that would work perfectly. Bear in mind that should be the first app.use thing.
We should enforce https so that hackers can't steal people's passwords and hack them.
it is already done on the cloudflare side
limit passwords to 72 chars
no. we should find a way to store longer passwords. https://security.stackexchange.com/a/184090
We should make users choose strong passwords. That means enforcing length i.e. at least 8 characters, and providing a How Strong Is You Password? type thing to encourage people to choose strong passwords, though only length should be enforced on the server (probably)
ok
This is probably worth another issue on its own, but we should consider checking usernames in constant time, which basically means that it should take the same time to respond to a username that does exist as for one that doesn't exist. This is really difficult to get right,and apparently facebook, twitter and most other companies do it wrong.
but why? an attacker can just request the user page and see if it 404s
it is already done on the cloudflare side
Ah ok for some reason I thought it wasn't.
no. we should find a way to store longer passwords. https://security.stackexchange.com/a/184090
Either way, it entails shortening the password to 72 bytes. But yes, that makes sense.
but why? an attacker can just request the user page and see if it 404s
Then why do we bother with being ambiguous about whether it's the username or password that's incorrect? I get what you're saying, but if twitter, facebook and all the rest attempt to do it, and we already have something similar, then why not do it?
then why not do it?
it's a wasteof time and would end up negatively impacting the user experience by slow api responses