Major reworking of the pepper section #526
Merged
Conversation
This will remove all mentions of storing a pepper (application secret) in a config file. The *alternatives* described in the *Disadvantages* section were covering the same ground, so i reworked these to be in their own *Alternatives* section with more context on how they differ from the common pepper method. Also removed references to ambiguous and irrelevant words like *traditional* and use more appropriate terms that demonstrate a clear message. Also introduces the concept of CSPRNG to pepper generation, which is critical for security of session which share the similar characteristics to a pepper. Updated the concatenation to a prefix approach which mitigates known attacks against peppering and avoid some implementation bugs such as truncation.
|
omg this is so fabulous and my only regret is not reviewing this sooner |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
This will remove all mentions of storing a pepper (application secret) in a config file.
The alternatives described in the Disadvantages section were covering the same ground, so i reworked these to be in their own Alternatives section with more context on how they differ from the common pepper method.
Also removed references to ambiguous and irrelevant words like traditional and use more appropriate terms that demonstrate a clear message.
Also introduces the concept of CSPRNG to pepper generation, which is critical for security of session which share the similar characteristics to a pepper.
Updated the concatenation to a prefix approach which mitigates known attacks against peppering and avoid some implementation bugs such as truncation.
Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.
Please make sure that for your contribution:
If your PR is related to an issue, please finish your PR text with the following line:
This PR covers issue #.
Thank you again for your contribution😃