[Owncloud] Security Guidelines, attention app developers
Bernhard Posselt
nukeawhale at gmail.com
Fri Mar 8 15:56:51 UTC 2013
Me and Lukas have created a page with common security recommendations
http://doc.owncloud.org/server/5.0/developer_manual/general/security.html
Feel free to contribute/fix mistakes and please audit your apps!
Most annoying problem with most apps is that security checks are
deliberately not included if they are not absolutely required. This
makes it incredibly hard to audit and review your apps for security and
poses a potential risk for future code changes.
In general: Enforce every *possible* security measure which does not
break the app (always check for logged in and CSRF -> callRegistered(),
always escape JS even when its output from t() ).
If its not possible to do CSRF checks or other checks, check twice.
Maybe you dont split public/private functionality code properly.
cheers
Bernhard Posselt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130308/6b2d0371/attachment.html>
More information about the Owncloud
mailing list