XMLWordPrintable

    Details

    • Type: Epic
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Epic Name:
      Hardening security

      Description

      • stronger password hash
      • never email password (or expose it over other unencrypted channels)
      • limit login attempts
      • Safer defaults for session cookie (httponly, ..)
      • ...
      • Sign updates to composer packages somehow (built on signed git tags?)
      • ...
      • Be more vocal/stricter on enforcing use of HTTPS for authenticated traffic (logged in to front/UI/REST/..)

      2018:

      • X-Frame-Options: SAMEORIGIN by default, but will need configuration for it
      • Session cookie secure bit, however needs to be opt in for anyone not on https (for instance in dev, a strict but almost sane default would be to force it in prod, but would need doc and banner on login page when in http about login not working to make it clear. Or some other way)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              andre.romcke@ez.no André Rømcke
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 30 minutes
                4h 30m