@@ -240,13 +240,23 @@ Mitigation involves using parameterized queries or prepared statements.
240240You must be careful when using prepared statements, as they can be vulnerable to SQL injection attacks.
241241Make sure that whatever is passed to the ` Flask ` server is properly sanitized.
242242
243+ Direct mitigation strategies involve using parameterized queries or prepared statements
244+ to ensure that unvalidated input is safely handled within SQL statements,
245+ effectively bypassing intended access controls.
246+ The security headers indirectly support this by encouraging browsers to adhere strictly to the declared content types,
247+ potentially reducing the risk of executing malicious scripts that could exploit SQL injection vulnerabilities
248+ This is basically implemented in the ` Flask ` server's ` add_security_headers() ` .
249+
243250#### Cross-Site Scripting (XSS) 📜
244251An attack where malicious scripts are injected into trusted websites.
245252Prevention includes validating and escaping user inputs.
246253
247254Even though we attempt to not allow except ` JSON ` , ` CSV ` and ` .config ` , the contents may not be sanitised properly,
248255So make sure you validate the file contents to not include bad characters or scripts.
249256
257+ We have attempt to mitigate this by preventing MIME type sniffing, ensuring browsers interpret content strictly as declared,
258+ thus potentially blocking malicious scripts. This is in the ` Flask ` server's ` add_security_headers() ` .
259+
250260### Broken Authentication 🔓
251261Weaknesses in the authentication process, allowing unauthorized access to user accounts.
252262Implementing strong password policies and two-factor authentication helps mitigate this.
@@ -265,7 +275,11 @@ Undesired defaults or errors in application setup.
265275
266276Regular audits and automated deployment processes can help catch and rectify these issues.
267277Running [ GGShield] ( #ggshield-scan- ) every once in a while is really important, just ignore error's based on the DataBase
268- containing passwords and user information as the ` DataBase ` by nature is private.
278+ containing passwords and user information as the ` DataBase ` by nature is private and these error consist of test cases.
279+
280+ Attempts to enhance this was by controlling browser behaviors, preventing clickjacking,
281+ enabling XSS filters, and managing referrer information sharing.
282+ This is in the ` Flask ` server's ` add_security_headers() ` .
269283
270284### Exposure of Sensitive Data 👀
271285Information leakage due to misconfiguration, leading to unauthorized access to sensitive data.
@@ -291,7 +305,9 @@ Also check the [GitHub Repository Releases](https://github.com/DefinetlyNotAI/Te
291305Attack where a malicious website tricks a victim into performing actions on a web application in which they're authenticated.
292306CSRF tokens can prevent this.
293307
294- Implement CSRF tokens in the front-end of the software
308+ Implement CSRF tokens in the front-end of the software to mitigate this risk as
309+ CSRF attacks occur when a malicious website tricks a victim into performing actions on a web application
310+ in which they're authenticated.
295311
296312### Error Handling Information Exposure 📜
297313Revealing detailed error messages can give attackers insights into the application's structure and potential vulnerabilities.
@@ -300,14 +316,22 @@ Configuring error pages to display generic messages helps.
300316The server is in risk with this, as the HTML returned includes a good deal of sensitive information,
301317but this is not shown, rather is sent to the framework itself.
302318The front-end of the website should show a generic message based on the variable ` code ` ,
303- while as the variable ` msg ` should be logged and not shown to the front end user
319+ while as the variable ` msg ` should be logged and not shown to the front end user, we already log the ` msg ` variable in a generic way.
320+
321+ We also attempt to fix this by ensuring strict content interpretation,
322+ potentially preventing exploitation of detailed error messages.
323+ This is in the ` Flask ` server's ` add_security_headers() ` .
304324
305325### Insufficient Transport Layer Protection ❌
306326Lack of proper encryption protocols between client and server. Ensuring HTTPS and strong ciphers is mandatory.
307327
308328This is all on the WEB hosting protocol, as the ` Flask ` Server runs on ` LOCALHOST ` it is safe from this vulnerability,
309329However the front-end server that communicates with the server may be running on a different protocol which can be insecure.
310330
331+ We recommend HTTPS and strong ciphers, we try to fix this in our end by enforcing HTTPS,
332+ encrypting all client-server communication and protecting against eavesdropping and man-in-the-middle attacks.
333+ This is in the ` Flask ` server's ` add_security_headers() ` .
334+
311335## Framework Setup 🛠️
312336
313337To use the ` API_FrameWork.py ` , include the following in your code:
0 commit comments