How about some basic security that could be build into the server-
configuration like:
- Max_msg_second = 3; Prevent users from sending more than x messages
to a channel or user in a certain period of time
now it's possible for a user to script:
javascript:for(l=0;l<100;l++) { /* here code to send message to
ape server */ }
- Max_simultanious_receivers = 3;
- Max_simultanious_channel_receivers = 3; Prevent users from sending
messages to more than x users or channels at a time
- Allow_html_in_JSON = false; // XSS exploits
- Maybe some standard regex test that people can use in the serverside
js extension. For example constants like: ONLY_LETTERS_AND_NUMBERS,
ONLY_NUMBERS, ONLY_LETTERS, ONLY_HTML_SAVE
It's really difficult to write regexes, and everyone writing there
own regexes is less save that prewritten regexes which are checked by
all users of the APE server.
- XSS prevention in received Json (or is this already taken care of?)
I think everybody using the APE server has some basic security needs.
And in case the user of the ape server is not aware of some security
risks, the server already has taken care of it.
I think it's a good idea to ask users of the ape server to brainstorm
about securtiy threats and prevent as much threats as possible in APE
server v2. Security is a big issue and should get some attention.
--
You received this message because you are subscribed to the Google
Groups "APE Project" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/ape-project?hl=en
---
APE Project (Ajax Push Engine)
Official website : http://www.ape-project.org/
Git Hub : http://github.com/APE-Project/
