Skip to content
This repository was archived by the owner on Jan 30, 2025. It is now read-only.

Commit 45ff5cc

Browse files
Completing 1.2.2
1 parent 1753d4c commit 45ff5cc

File tree

1 file changed

+27
-3
lines changed

1 file changed

+27
-3
lines changed

ReadMe.md

Lines changed: 27 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -240,13 +240,23 @@ Mitigation involves using parameterized queries or prepared statements.
240240
You must be careful when using prepared statements, as they can be vulnerable to SQL injection attacks.
241241
Make sure that whatever is passed to the `Flask` server is properly sanitized.
242242

243+
Direct mitigation strategies involve using parameterized queries or prepared statements
244+
to ensure that unvalidated input is safely handled within SQL statements,
245+
effectively bypassing intended access controls.
246+
The security headers indirectly support this by encouraging browsers to adhere strictly to the declared content types,
247+
potentially reducing the risk of executing malicious scripts that could exploit SQL injection vulnerabilities
248+
This is basically implemented in the `Flask` server's `add_security_headers()`.
249+
243250
#### Cross-Site Scripting (XSS) 📜
244251
An attack where malicious scripts are injected into trusted websites.
245252
Prevention includes validating and escaping user inputs.
246253

247254
Even though we attempt to not allow except `JSON`, `CSV` and `.config`, the contents may not be sanitised properly,
248255
So make sure you validate the file contents to not include bad characters or scripts.
249256

257+
We have attempt to mitigate this by preventing MIME type sniffing, ensuring browsers interpret content strictly as declared,
258+
thus potentially blocking malicious scripts. This is in the `Flask` server's `add_security_headers()`.
259+
250260
### Broken Authentication 🔓
251261
Weaknesses in the authentication process, allowing unauthorized access to user accounts.
252262
Implementing strong password policies and two-factor authentication helps mitigate this.
@@ -265,7 +275,11 @@ Undesired defaults or errors in application setup.
265275

266276
Regular audits and automated deployment processes can help catch and rectify these issues.
267277
Running [GGShield](#ggshield-scan-) every once in a while is really important, just ignore error's based on the DataBase
268-
containing passwords and user information as the `DataBase` by nature is private.
278+
containing passwords and user information as the `DataBase` by nature is private and these error consist of test cases.
279+
280+
Attempts to enhance this was by controlling browser behaviors, preventing clickjacking,
281+
enabling XSS filters, and managing referrer information sharing.
282+
This is in the `Flask` server's `add_security_headers()`.
269283

270284
### Exposure of Sensitive Data 👀
271285
Information leakage due to misconfiguration, leading to unauthorized access to sensitive data.
@@ -291,7 +305,9 @@ Also check the [GitHub Repository Releases](https://github.com/DefinetlyNotAI/Te
291305
Attack where a malicious website tricks a victim into performing actions on a web application in which they're authenticated.
292306
CSRF tokens can prevent this.
293307

294-
Implement CSRF tokens in the front-end of the software
308+
Implement CSRF tokens in the front-end of the software to mitigate this risk as
309+
CSRF attacks occur when a malicious website tricks a victim into performing actions on a web application
310+
in which they're authenticated.
295311

296312
### Error Handling Information Exposure 📜
297313
Revealing detailed error messages can give attackers insights into the application's structure and potential vulnerabilities.
@@ -300,14 +316,22 @@ Configuring error pages to display generic messages helps.
300316
The server is in risk with this, as the HTML returned includes a good deal of sensitive information,
301317
but this is not shown, rather is sent to the framework itself.
302318
The front-end of the website should show a generic message based on the variable `code`,
303-
while as the variable `msg` should be logged and not shown to the front end user
319+
while as the variable `msg` should be logged and not shown to the front end user, we already log the `msg` variable in a generic way.
320+
321+
We also attempt to fix this by ensuring strict content interpretation,
322+
potentially preventing exploitation of detailed error messages.
323+
This is in the `Flask` server's `add_security_headers()`.
304324

305325
### Insufficient Transport Layer Protection ❌
306326
Lack of proper encryption protocols between client and server. Ensuring HTTPS and strong ciphers is mandatory.
307327

308328
This is all on the WEB hosting protocol, as the `Flask` Server runs on `LOCALHOST` it is safe from this vulnerability,
309329
However the front-end server that communicates with the server may be running on a different protocol which can be insecure.
310330

331+
We recommend HTTPS and strong ciphers, we try to fix this in our end by enforcing HTTPS,
332+
encrypting all client-server communication and protecting against eavesdropping and man-in-the-middle attacks.
333+
This is in the `Flask` server's `add_security_headers()`.
334+
311335
## Framework Setup 🛠️
312336

313337
To use the `API_FrameWork.py`, include the following in your code:

0 commit comments

Comments
 (0)