Re: [Wt-interest] Disabling inline styles in Chrome Web Developer reveals my hidden widgets

Tue, 23 Jul 2013 05:42:07 -0700 

Hello Koen,

Some security aspects:
1. safe html: algorithm, which tags and attributes are considered
safe. Protection against JS through CSS inlining.
2. algorithm of encodeUntrustedUrl.
3. which errors could be printed to browser (like in PHP). In HTML
version it happens if an exception was thrown:
request->out()
       << "<title>Error occurred.</title>"
       << "<h2>Error occurred.</h2>"
         "Error parsing CGI request: " << e.what() << std::endl;
4. Wt::Auth, restriction for large number of tokens per user.
Currently old tokens are not removed, max number is 50, then the user
can't log in. See http://redmine.emweb.be/issues/1763
5. When session is killed. (IP changed, browser identity changed,
timeout, maybe smth else?) It was mentioned somewhere.
6. Protection against application-level DDoS. Wt can keep records of
time spent by sessions and in case of DDoS drop most time-consuming
sessions and block those IP addresses for 10 minutes. BTW, blocking by
IP (range) and/or browser identity should be methods of WServer and Wt
config.
7. [JS-level encryption] See
http://comments.gmane.org/gmane.comp.web.witty.general/8150

С уважением,
Нагаев Борис


On Tue, Jul 23, 2013 at 1:40 PM, Koen Deforche <k...@emweb.be> wrote:
> Hey Boris,
>
> 2013/7/22 Nagaev Boris <bnag...@gmail.com>:
>> Hello, Koen
>>
>> This case of documentation lack is not the first one concerning security.
>> Could you send Wt's set of security rules, please?
>
> I will update our WIKI entry on this topic. What other security aspect
> wasn't well documented?
>
> Regards,
> koen
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> witty-interest@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/witty-interest

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest

Reply via email to