The look of the API landing page and tidy up questions #489
Comments
|
@k8hughes shouldn't be looking too bad anymore :) |
|
Is it secure? I know we needed to check that the API didn;t open up the DDW to any vunerabilities... |
|
|
With my knowledge of SQL and how it's programmed, I've tried my best to
pen-test it, and it's not vulnerable to the common attacks. But testing it
myself is a little like proofreading your own writing. Would you or Naphlin
be able to take a stab at it?
…On Thu, Jan 24, 2019, 4:29 AM Edwin P. Magezi ***@***.*** wrote:
@akmiller01 <https://github.com/akmiller01>
Is it secure? I know we needed to check that the API didn;t open up the
DDW to any vunerabilities...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#489 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACtJaB8-1FsNTMS4DNKnG1wUOlw7fXB4ks5vGX0OgaJpZM4aFjZb>
.
|
|
Oh, but it's built on a read only user. So the worst vulnerability possible would be accessing data they're not supposed to (which should be explicitly blacklisted). |
|
@akmiller01 one last bit on validation... it seems to allow any type of format one specifies. Of course the resulting file is broken, but still, I think it should accept only the allowed formats. Since we're not using any authentication/secrets that may require encryption, I don't think the API not being deployed via HTTPS is a big issue... right? |
|
Yep, that makes sense to validate the file format and maybe make a new
error code for unknown formats.
And I would agree with you on SSL. It's a "nice-to-have" for all web
traffic, but really only necessary when the user is sending sensitive info.
The connection between the server and PSQL should already be over SSL (I
believe).
…On Fri, Jan 25, 2019, 2:43 AM Edwin P. Magezi ***@***.*** wrote:
@akmiller01 <https://github.com/akmiller01> one last bit on validation...
it seems to allow any type of format one specifies. Of course the resulting
file is broken, but still, I think it should accept only the allowed
formats.
Since we're not using any authentication/secrets that may require
encryption, I don't think the API not being deployed via HTTPS is a big
issue... right?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#489 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACtJaBAWzIWZf_Snqe4RP5rExyFJDl9Rks5vGrWzgaJpZM4aFjZb>
.
|
|
I've moved this into done, but I don't know if there is a new issue that we want to docuent to remind ourselves of the SSL issue? @edwinmp @akmiller01 |
It needs to be renamed to be called "Development Data Hub API" instead of DDW.
I know API pages don't need to be super designed or pretty but should we have a logo or be using DI fonts? (not sure what is the norm for API pages?)
Have we checked the API is secure and there is no risk of comprising the DDW?
The text was updated successfully, but these errors were encountered: