XMLWordPrintable

    Details

    • Type: Epic
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Epic Name:
      Hardening security

      Description

      Hashes

      Cookies

      • Safer defaults for session cookie (httponly, ..)
      • Session cookie secure bit, however needs to be opt in for anyone not on https (for instance in dev, a strict but almost sane default would be to force it in prod, but would need doc and banner on login page when in http about login not working to make it clear. Or some other way)

      Other

      • Never email password (or expose it over other unencrypted channels)
      • Limit login attempts (per IP, per time...)
      • Sign updates to composer packages somehow (built on signed git tags?)
      • Be more vocal/stricter on enforcing use of HTTPS for authenticated traffic (logged in to front/UI/REST/...)
      • Set autocomplete=off on forms for user credentials (stock templates)

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            andre.romcke-obsolete@ez.no André Rømcke (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 30 minutes
                4h 30m