Nice.
Security is hard. And requires keeping up with the literature, as they say. I’m somewhat out of the loop at this point and there are many concerns; easy-ish first ones include–
- Only HTTPS with modern ciphers.
- Never put meaningful or replayable info in cookies.
- Never echo untrusted content to the browser.
- Never store plaintext passwords.
- Always serve all content locally or with checksums if remote.
- Only give lowest permission absolutely necessary to do anything.
- Log everything to find attacks you forgot to cover.
The gold standard for guidelines is OWASP (Open Web Application Security Project).
|