Replies are listed 'Best First'.
Re^5: PSGI/Plack unsatisfactory performance by Your Mother (Archbishop) on Dec 28, 2021 at 20:29 UTC
Nice. Security is hard. And requires keeping up with the literature, as they say. I’m somewhat out of the loop at this point and there are many concerns; easy-ish first ones include– Only HTTPS with modern ciphers. Never put meaningful or replayable info in cookies. Never echo untrusted content to the browser. Never store plaintext passwords. Always serve all content locally or with checksums if remote. Only give lowest permission absolutely necessary to do anything. Log everything to find attacks you forgot to cover. The gold standard for guidelines is OWASP (Open Web Application Security Project).	[reply]

Replies are listed 'Best First'.

Re^5: PSGI/Plack unsatisfactory performance
by Your Mother (Archbishop) on Dec 28, 2021 at 20:29 UTC

Nice.

Security is hard. And requires keeping up with the literature, as they say. I’m somewhat out of the loop at this point and there are many concerns; easy-ish first ones include–

Only HTTPS with modern ciphers.
Never put meaningful or replayable info in cookies.
Never echo untrusted content to the browser.
Never store plaintext passwords.
Always serve all content locally or with checksums if remote.
Only give lowest permission absolutely necessary to do anything.
Log everything to find attacks you forgot to cover.

The gold standard for guidelines is OWASP (Open Web Application Security Project).

[reply]