Security

Ongoing list of potential security threats:

• cross site scripting during message typing
• prevent weak passwords
• prevent access to admin pages from the url
• mongoDB potential security issues
• socket messages not being sent over https
• Anyone can create an account

Plan to fix vulnerabilities:

• Run files through veracode
• Use jquery to filter out characters on message input (chat.js now has an escapeMessage function that escapes "<" and ">" characters.
• Add requirements for passwords like capitals and numbers
• research mongoDB and socket
• Modify where admin.html is stored. Done, the server now does not expose the public root anymore, only the js, css, and img folders.
• Verify account registration through an email to e4p