[Owncloud] Security Guidelines, attention app developers

Frank Karlitschek frank at owncloud.org
Fri Mar 8 16:25:01 UTC 2013


This is very cool!!!
Thanks a lot.

Frank

On 08.03.2013, at 16:56, Bernhard Posselt <nukeawhale at gmail.com> wrote:

> Me and Lukas have created a page with common security recommendations http://doc.owncloud.org/server/5.0/developer_manual/general/security.html
> 
> Feel free to contribute/fix mistakes and please audit your apps!
> 
> Most annoying problem with most apps is that security checks are deliberately not included if they are not absolutely required. This makes it incredibly hard to audit and review your apps for security and poses a potential risk for future code changes. 
> 
> In general: Enforce every *possible* security measure which does not break the app (always check for logged in and CSRF -> callRegistered(), always escape JS even when its output from t() ). 
> 
> If its not possible to do CSRF checks or other checks, check twice. Maybe you dont split public/private functionality code properly.
> 
> cheers
> 
> Bernhard Posselt
> 
> 
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud




More information about the Owncloud mailing list