Skip to content

Commit

Permalink
Add section on confidential requests
Browse files Browse the repository at this point in the history
  • Loading branch information
@oliverguenther
oliverguenther committed Sep 7, 2023
1 parent fb70b90 commit 1fb2b57
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions docs/development/concepts/secure-coding/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ OpenProject is a form-driven application, meaning that users input a lot of data
- Implement a strict [content security policy](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) to mitigate common XSS, CSRF and similar cross-site attack vectors. OpenProject uses the [secure_headers gem](https://github.com/github/secure_headers) to define its CSP.
- Learn about the [different types of XSS](https://owasp.org/www-community/Types_of_Cross-Site_Scripting#stored-xss-aka-persistent-or-type-i) and their impacts: Reflected XSS, Stored XSS, Dom-based XSS and server vs client side XSS
- Implement file upload filters based on file type, and ensure user-provided files cannot be executed as code.
- Ensure transmission of confidential data does not happen through GET requests, but use POST/PUT/PATCH requests instead.

**References**

Expand Down

0 comments on commit 1fb2b57

Please sign in to comment.