Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
This question is more about web architecture than actual code behind it.
I posted a question yesturday about how to fix a problem I was having about js encryption and decryption.
My whole system now works however I think I've just rebuilt https.
In my current app the client recieves a public key to encrypt data. That data is decrypted at the server with a private key which I've learnt is exactly the way https works. I was going to abandon my encryption functions completely however I thought that they might actually be useful.
This is because I thought I might have one server for handling requests and another for database interaction. So I would encrypt the plaintext password before it reached the request server (and then decrypt it after it reaches the database server). This is because the less places the password is known, the better (as far as I see it).
Not only that but I still don't feel safe sending a password as plaintext to the server even if it is encrypted.
There's probably a standard for sending passwords that I'm missing or something about https that I don't understand but really my question is:
Should I have https and my encryption system?
or just https and sending the passwords in plaintext?
You are not sending the password as plaintext when you send it through HTTPs, but you should not store it on the server (or pass it to other server). What you should make to prevent the password to leak, is to salt and hash it and store the hash and salt on the database, you can read more about it on wikipedia.
On the other hand, while building software from scratch is a good practice, it is important to review other implementations, so you can copy the implementation details on known open source secure implementations, like for example devise.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 months ago.
Improve this question
I'm fairly new to coding, and when I try to find a way to lock my website behind a username and password field, every tutorial just hides them as a plain variable in some random file. I'm wanting to make the website only accessible once a username and password have been entered, but I want the usernames and passwords to be made and managed by myself, so only people I know can access it. If this is a really obvious thing I apologise, but if it's something that I can specifically look up please let me know so I can do more independent research.
There's no good way to do this on the frontend alone.
every tutorial just hides them as a plain variable in some random file.
Sounds like some pretty shoddy tutorials. Anyone could look at the source code of the site and get in.
The right thing to do would be to:
Hash the passwords (one-way encryption so that the original password text cannot be recovered, even if someone gains access to the hash)
Save the passwords in a database or (if there aren't many) in environment variables on your server
Set up routing on the server so that if the user isn't authenticated, none of the protected content gets sent to them in the first place - redirect them to the login page. (Don't serve the HTML of a protected page and then try to do validation from that page; with that approach, users would still be able to open up the developer tools and bypass your restrictions, by inserting their own code and removing your own).
Anything on the client-side can be tampered with and bypassed; gate requests behind the server instead, which is (or, has the potential to be) much more secure.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I got a request at work to create an SMTP server so that our website can sent automatic emails on daily/weekly basis. In simple - we have a website running on node.js and I need to give it an ability to automatically send emails based on time or/and other conditions.
Since I never worked in this direction (and I just got into this field) I decided to ask a question here, to see what you(experts) have to say in regards of this subject.
p.s I might have a wrong understanding of how this should run, so feel free to correct anything that I said.
Since setting up a brand new smtp server and managing correct configuration, security, and most important, domain/ip reputation can be a real pain, I would suggest using a cloud service for this task to get you going faster.
A few of these services, some of them with free tiers are Amazon SMS, Mailgun, SendGrid and Mandrill. At least Mailgun has a API wrapper available for Node.JS.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
How do services which have JavaScript client libraries secure those libraries and the APIs they call? Specifically:
Ensure library is only loaded on valid sites.
Ensure a user doesn't just open up the console and start making calls.
Any other major considerations to be made?
Ensure library is only loaded on valid sites.
You can't and you don't. Security in client-side JS is futile. If you're talking server-side JS, you're pretty much pwned if arbitrary code is able to execute server-side.
Ensure a user doesn't just open up the console and start making calls.
Most services require some form of API key/token, a value that needs to go with your API requests so that the service can check its validity. This value is usually only obtainable by being a registered user of the service. That means an API key is tied to an account. If the service finds out that you're breaking ToS, they can simply block your API key or account altogether.
For public APIs, there's a combination of rate limiting, tracking and blocking (i.e. IP or a fingerprint of some sort), referrer checks (ensure something is only loaded by a certain page, not somewhere else), UA checks (ensure a browser is downloading, not a bot, app or something), and more. Individually, these checks are easily spoofed, but combined, can be a deterrent.
Well, since your js basically lives client side then the only thing you could really do there is make users authenticate before they can really get your libraries. Anything past that would really just be a tiny roadbump to anyone who really wants to manipulate your js.
Where you do have and can maintain control is securing your API calls. The most popular forms are with basic auth, OAuth, and IP whitelisting.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm trying to make my REST API more secure. For the moment I'm hashing my password in my angular app with CryptoJs.SHA256 before sending it to my C# backend. But I realize it's better to hash password on server side. So how can I send a password only readable by the server? I'm going to add SSL but I know HTTPS is also breakable. Is there an other solution?
Thanks
As Bruce Schneier says, "Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust amateur cryptography, and why you should only use published algorithms that have withstood broad cryptanalysis."
While nothing is 100% unbreakable, breaking HTTPS is significantly harder than breaking a homecooked security scheme made in JavaScript. Consider this: if you serve your super-secure JS over an untrusted (HTTP or HTTPS-with-invalid-certificate) connection, what prevents the attacker from substituting a broken version, which will bypass all the JS security? Nothing.
Modern browsers are going to great lengths to prevent HTTPS from being broken (with HSTS etc.); so it's significantly safer to rely on HTTPS (which can provide actual security when used correctly - "just ignore all those big red errors" is one simple way to break it) than on JS-over-HTTP (which only provides a feeling of security without an actual chance of being secure).
Further reading: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/
https://security.stackexchange.com/questions/3921/why-do-some-people-really-hate-security-via-client-side?rq=1
https://security.stackexchange.com/questions/8596/https-security-should-password-be-hashed-server-side-or-client-side
There are a lot of sources out there on this topic, but few have actually analysed it. As a general rule, trust guidance from Thomas Pornin more than anybody else. I also highly recommend my own survey and recommendation on the topic.
Not exactly a fullblown answer to your question, but i'd start by looking into using a KDF (Key Derivation Function) rather than just hashing your secrets. Some KDF libraries that you can look into are:
PBKDF2
bcrypt
scrypt
https://en.wikipedia.org/wiki/Key_derivation_function
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
How can an offline website (zip, MHTML, SingleFile) be made secure? Are there techniques (obfuscating, encrypting) or anything within the specs of HTML or JavaScript (ECMAScript) that would allow for an offline website to be secure on its own?
By "secure" I mean that if a user has a local copy of the website, they may not still have access to the contents without a password. Imagine a level of security approximating that which is used in PDF documents.
You may use an offline js function (https://code.google.com/p/crypto-js/#Ciphers here are some algorithms that will do) to encrypt all the data, and ask for a password to decrypt it.
Note that you shouldn't store the correct password, but instead check if it is correct by decrypting with the password given by the user a known message (encrypt "hello world" with the correct password, and then check if the password given by the user works).
Yes; you can encrypt the data, then decrypt it in Javascript.
Note that any user with the encryption will always have full access to the data.