On Tue, Mar 15, 2016 at 12:48:29AM +0300, Aleksej Saushev wrote: > co...@sdf.org writes:
> > Feedback needed: > > > > Security: > > It seems like there's a big need for security. I've learned of one > > attack called cross-site request forgery. Seems like the way to tackle > > it is an awkward dance with embedding tokens in forms. > > I can already see that Sailor (other Lua framework)'s authentication > > scheme doesn't handle this... > > > > Are there other such concerns? > > I would try to avoid this. It is tricky thing that requires investing > a lot more time that you have. Not that you may write without any > thought about security, yet don't put too much effort into it. It shouldn't be difficult to implement CSRF to any framework (which has reasonable API). I think you should get familiar with this projects before you start: * https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project * https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet If you encounter any problems with web security then ping me, I think I'd be able to help since it's part of my $DAYJOB. Best Regards, Mateusz Kocielski
