https://frontend.turing.io/lessons/module-4/client-side-security.html
-
visual, quick feedback
-
HTML5 input types
-
pattern attributes (dealing with inputs): allows you to guide user to input certain things (??)
-
import validation should happen on server-side (not client-side)
-
treat everything as suspect
-
environment variables
-
HTTP (hyper text transfer protocol): "plain text"
-
HTTPS (hyper text transfer protocol secure): SSL (secure sockets layer) certificate
-
Authentication and Web Tokens
-
same origin policy (Cors)
-
don't store your passwords in database
-
if you do store them, use something like bcrypt
-
avoid storing plain text data in database
Give me an example of a security breach.
- An example of a security breach is any time that spear phishing is successful. Two examples of spear phishing include the attack on Iranian nuclear power plant and, more recently, an attack on a German steel mill. Emails were sent, the user fell for the attack, and the hacker was able to gain access to the controls. Air gapping would be recommended to solve this issue.
Where are the three places in your code where you should implement some level of data validations? (Or, the three phases of the validation waterfall)
-
Client side validation: all of thee above (so, visual feedback, HTML5 input types, and pattern attributes)
-
Cors
What are two ways we can prevent ourselves from introducing security holes in our codebases?
- never store passwords in database