|
Thread Rules 1. This is not a "do my homework for me" thread. If you have specific questions, ask, but don't post an assignment or homework problem and expect an exact solution. 2. No recruiting for your cockamamie projects (you won't replace facebook with 3 dudes you found on the internet and $20) 3. If you can't articulate why a language is bad, don't start slinging shit about it. Just remember that nothing is worse than making CSS IE6 compatible. 4. Use [code] tags to format code blocks. |
So i want the adress security topic i raised before. I want to deploy my website soon and I: 1. Decided to use one of the website hosting services like Heroku which should make it more secure (i think) than running my own server. 2. I have written my site in Django and have read and followed (to the degree i can understand them) the advices and best practices recomended by Django documentation (CSRF, XSS, SQL Injection, Hostheader validation, HTTPS) 3. I am making sure nothing valuable is stored in database and i will also ask users (which will be the people i know personally to only use passwords that wont compromise anything of value in any case) 4. I am requiring login to view my website and new users start as inactive (will require manual activation to login and see anything beyond home page). 5. I am following django deploy checklist
Also on the topic of protecting user credentials by not storing them as plain text doesnt Dajngo do that as default? I was under the impression it does.
Any comments/advices ???
|
What encryption algorithm are you using to hash the passwords?
|
Hyrule18766 Posts
I really hope it's argon2 and not SHA1 or something else like that....
If you're really into keeping things secure you can require mf2/2fa (whatever you want to call it) and disable things like security questions.
Heroku isn't inherently more secure, it's just a different way of hosting a website. If your application is insecure, it doesn't matter what your host is. PaaS like Heroku or AWS are more "secure" in terms of mitigating downtime and DDoS, but they won't do anything if there's a massive hole in your actual code somewhere. If you configure the firewalls/access rules properly, those types of hosts do mitigate some attacks, but not many.
If you want a truly secure server, you want to set up one which can only be accessed on 80 as a redirect to 443, and then configure a jump/bastion server for direct access. This is probably overkill for a non-commercial endeavor.
+ Show Spoiler [actually useless information] +If you want an absolutely secure server you need to unplug it from the internet and require your users to go to the physical server to do anything, with you personally checking security and verifying identity prior to access.
|
Even the last solution (in spoiler) isnt 100% secure because You know people, a friend of mine from military told me how their secure cut-off from interent server was compromised by human stupidity and laziness. So no, i am not looking for total security just a reasonable one for hobby related low traffic site.
|
On November 28 2019 16:24 Silvanel wrote: Even the last solution (in spoiler) isnt 100% secure because You know people, a friend of mine from military told me how their secure cut-off from interent server was compromised by human stupidity and laziness. So no, i am not looking for total security just a reasonable one for hobby related low traffic site.
Reminds me of the story earlier this year where the plugged off computer system of a Ukrainian nuclear power plant had been connected to the net by employees to mine crypto currency...
https://www.zdnet.com/article/employees-connect-nuclear-plant-to-the-internet-so-they-can-mine-cryptocurrency/
|
On November 28 2019 05:11 Silvanel wrote: So i want the adress security topic i raised before. I want to deploy my website soon and I: 1. Decided to use one of the website hosting services like Heroku which should make it more secure (i think) than running my own server. 2. I have written my site in Django and have read and followed (to the degree i can understand them) the advices and best practices recomended by Django documentation (CSRF, XSS, SQL Injection, Hostheader validation, HTTPS) 3. I am making sure nothing valuable is stored in database and i will also ask users (which will be the people i know personally to only use passwords that wont compromise anything of value in any case) 4. I am requiring login to view my website and new users start as inactive (will require manual activation to login and see anything beyond home page). 5. I am following django deploy checklist
Also on the topic of protecting user credentials by not storing them as plain text doesnt Dajngo do that as default? I was under the impression it does.
Any comments/advices ???
Just hash+salt the passwords and then it should be fine. Heroku is a good option in many cases, add your enviornment-varibles in the heroku interface. I would use a secure/http-only/JWT cookie for authentication with a time-limit of something like 1 hour if you want to be super secure. If you want to go even further, something like Okta would be good.
|
Geez, people. It's a hobby project for himself and a couple friends. Okta and such are overkill. Super secure stuff is also overkill (I totally hate credentials that expire too soon).
You'll be fine with basic stuff provided by Django (PBKDF2) but it's extremely easy to switch to something like bcrypt or Argon2 since Django has support for other algorithms out of the box but they require 3rd party libraries to be installed.
Just read this and adjust accordingly: https://docs.djangoproject.com/en/2.2/topics/auth/passwords/
|
Thanks for sugestions, i did switch to Argon2. I deploeyed my site--> its up and running. I run into some problems not present on testserver but that is expected i guess. I fixed some, need to fix some more. But that will have to wait. No its time to rest. Yay! I did it
|
Hyrule18766 Posts
The test server should be identical to prod so that you can catch errors before they happen. Sounds like you have something misconfigured
|
On November 29 2019 14:03 tofucake wrote:The test server should be identical to prod so that you can catch errors before they happen. Sounds like you have something misconfigured
If you have something with high uptime demands you probably want a development server as well as a test server. Test server being used for acceptance tests while dev has the latest code you are working on for future changes.
|
It should be identical be it isnt I had a problem with one security setting which run smoothly on localhost but started giving problems on production so i had to made changes on the fly. Anyway its something resembling closed beta right now so i will be fixing errors and stuff.
Thanks everyone for Your input.
|
Hyrule18766 Posts
Test is also sometimes called pre-prod. It should live in the same world as prod with the same configurations. Only dev should be local, and even then it should be running on the same containers or a VM configured the same as prod. Developing like this will reduce errors based on environment, and you can spin down test and dev when they aren't needed. It's a good habit to get into.
|
On November 29 2019 17:07 Silvanel wrote:It should be identical be it isnt I had a problem with one security setting which run smoothly on localhost but started giving problems on production so i had to made changes on the fly. Anyway its something resembling closed beta right now so i will be fixing errors and stuff. Thanks everyone for Your input.
If the configurations are specific to that environment then it makes sense to do it directly. For bugs you can reproduce on your dev environment, you should fix them and then deploy them to your prod server. This makes it easier to document what went wrong and how it was fixed so that if it happens again in the future you have a record of it.
QA best name for your test or pre-prod environment.
|
|
Omg I only got 52% right.. The shame overwhelms me
|
I got 56% which is good i guess condering i never played pokemon or have anything to do with BigData, Anyway i used strategy "Noone would name pokemon like that" since pretty early i realized there are no rules to BigData naming, while some names obviously were too bad to be pokemon.
|
On December 05 2019 01:50 Silvanel wrote: I got 56% which is good i guess condering i never played pokemon or have anything to do with BigData, Anyway i used strategy "Noone would name pokemon like that" since pretty early i realized there are no rules to BigData naming, while some names obviously were too bad to be pokemon.
That's just the thing, there's always a Pokemon named "that". I mean someone named a Pokemon Spoink. Not to mention they're about to introduce a literal apple as a Pokemon named "Applin". All bets are off.
|
96%, only because I know my pokemon :D
|
67%
|
Zurich15232 Posts
I feel like a first year programmer ... Was stuck for almost 2 days because I had a whitespace trailing a URL I had to compute a hash on. Spent two days trying to find the error in my implementation of building the string to hash or the hashing function because the resulting hashes just would not match. And of course the software I am working with only has a console for debugging where I just couldn't see the stupid whitespace at the end of the URL.
|
|
|
|