-
Notifications
You must be signed in to change notification settings - Fork 4
Security
Vera edited this page Dec 13, 2018
·
1 revision
- When programming in support for any extrenal API or other service, under absolutely no circumstance should you put related secret keys in client code. Secret keys should either be used in the backend to process a request to the API/service, or that API/service should not be used at all.
- Be mindful when using any personally identifiable information. Any combo of first and last names, emails, or other bits from a developer or user could be pieced together with information gathered elsewhere, and subsequently used to steal an identity, stalk someone, or worse. When in doubt, don't put in in the code or pull requests.
- UNDER ABSOLUTELY NO CIRCUMSTANCE should you store password data statically in code or on the clients disk. Web browsers have gotten a lot better about separation of data from different sites, but all it takes is one web browser bug for someone to inject some malicious javascript onto the users machine and scrape browser stored data. This includes things like storing in cookies, Local Storage, or Web SQL. The user can use things like password vaults to manage and insert their credentials as needed.
- Generally speaking, be mindful about storing any personally identifiable information in the client. As stated above, web browsers are usually pretty secure, but it only takes one browser bug to expose that data. Choose what PII you have locally wisely.
- Be mindful of how you pass props around. While a lot of props data is sitting in memory instead of on disk, inadvertantly passing props to the wrong thing may directly expose it to the end user, allowing them to subsequently use that data in ways such as mounting an attack on the backend based on the way the data is structured.
- Do not store secret keys directly in the code. Expose them via environment variables or another KVP store.
- As with React, be mindful of how you're passing around various configurations. The Django REST Framework in particular exposes API endpoints as views, which can be browsed to with the correct credentials.