On Wed, Aug 12, 2009 at 10:38 PM, El Tea<[email protected]> wrote: > The biggest problem with answering this is that you may be doing bad things that are complete away from TG. For example there is no way for TG to validate that you are not storing creditcard data in your database.
> I could really use a pointer to a set of documentation somewhere that > lists all the requirements for securing my site. I would think it > would include changing this "secret", getting the site out of debug > mode, and maybe even validating every form (even if you don't assign a > validator to a field - which I am hoping escapes injection attacks). > Injection attacks are something that is caught at the SA level. In theory it's query builder and object layer will catch all attempts at it. I say in theory because a bug may be found or you could be using sqlalchemy.sql.TEXT > I expect TG is used by many professionals - but many people like > myself as well, who are not well experienced in web architectures and > SQL. That's why I use TG - to abstract away and simplify, but I feel > like it may leave my site and/or database open to vulnerabilities > because I don't grasp all the nuances. > Sadly this is not a TG issue. And even though I agree TG should tell you all you need to do to close the holes TG opens we can't tell you how to close the holes you open. > My previous approach was to buy Mark's book - and it was great, but > I've since moved on to TG2. Is there any page of mandatory steps and > best practices to properly secure a TG2 site? > I don't think there is. That should be a chapter on the deployment guides. > > Mike > > On Aug 12, 9:47 am, Antoine Pitrou <[email protected]> wrote: >> On Aug 12, 3:16 am, Mark Ramm <[email protected]> wrote: >> >> > You can also set it in development.ini using a key like: >> >> > sa_auth.cookie_secret = "mysupersecret" >> >> In [app:main] I assume? > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
