Clear linter warnings
This commit is contained in:
parent
f13a30258f
commit
29283389c8
@ -1,7 +1,10 @@
|
|||||||
|
<!-- markdownlint-disable-next-line MD041 -->
|
||||||
##### Project
|
##### Project
|
||||||
|
|
||||||
::PROJECT-NAME
|
::PROJECT-NAME
|
||||||
|
|
||||||
##### Internal Release Number
|
##### Internal Release Number
|
||||||
|
|
||||||
::X.Y.Z
|
::X.Y.Z
|
||||||
|
|
||||||
##### Related Documents
|
##### Related Documents
|
||||||
@ -14,8 +17,7 @@
|
|||||||
|
|
||||||
### Overview
|
### Overview
|
||||||
|
|
||||||
*TODO: Answer the questions below to help you design needed security
|
*TODO: Answer the questions below to help you design needed security features. Some example text is provided. Add or delete text as needed.*
|
||||||
features. Some example text is provided. Add or delete text as needed.*
|
|
||||||
|
|
||||||
#### What are the most important facts that a developer should know about the security of this system?
|
#### What are the most important facts that a developer should know about the security of this system?
|
||||||
|
|
||||||
@ -30,7 +32,6 @@ features. Some example text is provided. Add or delete text as needed.*
|
|||||||
|
|
||||||
### Security Mechanisms
|
### Security Mechanisms
|
||||||
|
|
||||||
|
|
||||||
#### What physical security mechanisms will be used?
|
#### What physical security mechanisms will be used?
|
||||||
|
|
||||||
- ::Servers will be kept in a locked room with door code known only
|
- ::Servers will be kept in a locked room with door code known only
|
||||||
@ -94,19 +95,15 @@ features. Some example text is provided. Add or delete text as needed.*
|
|||||||
are:
|
are:
|
||||||
- ::Guest: Visitor to the site is not logged in, no permissions
|
- ::Guest: Visitor to the site is not logged in, no permissions
|
||||||
to change anything
|
to change anything
|
||||||
- ::Guest: Visitor to the site is not logged in, can post
|
- ::Guest: Visitor to the site is not logged in, can post messages anonymously
|
||||||
messages anonymously
|
- ::RegisteredUser: User is logged in, has permissions for X, Y, and Z
|
||||||
- ::RegisteredUser: User is logged in, has permissions for X, Y,
|
- ::Administrator: Permission to change anything, even on behalf of other regular users
|
||||||
and Z
|
|
||||||
- ::Administrator: Permission to change anything, even on behalf
|
|
||||||
of other regular users
|
|
||||||
- ::Each action (information display or change) requires that the
|
- ::Each action (information display or change) requires that the
|
||||||
user has a role with proper permissions
|
user has a role with proper permissions
|
||||||
- ::Compromised or abused accounts can be quickly disabled
|
- ::Compromised or abused accounts can be quickly disabled by administrators.
|
||||||
by administrators. >
|
- ::Administrators can review user permissions
|
||||||
- ::Administrators can review user > permissions
|
- ::Administrators can audit all accesses and changes
|
||||||
- ::Administrators can audit all a > ccesses and changes
|
- ::All communications with the user are encrypted (e.g., SSL)
|
||||||
- ::All communications with the us > er are encrypted (e.g., SSL)
|
|
||||||
- ::Some communications with the user (e.g., the username
|
- ::Some communications with the user (e.g., the username
|
||||||
and password) are encrypted (e.g., SSL)
|
and password) are encrypted (e.g., SSL)
|
||||||
- ::Sessions are tied to a particular client IP-address so that
|
- ::Sessions are tied to a particular client IP-address so that
|
||||||
@ -117,19 +114,10 @@ features. Some example text is provided. Add or delete text as needed.*
|
|||||||
where it can still be reviewed by administrators.
|
where it can still be reviewed by administrators.
|
||||||
- ::Sensitive data, such as credit card numbers, are processed but
|
- ::Sensitive data, such as credit card numbers, are processed but
|
||||||
not retained in any database or file
|
not retained in any database or file
|
||||||
- ::The data access layer will be responsible for preventing SQL
|
- ::The data access layer will be responsible for preventing SQL injection attacks (i.e., hackers attempting to enter SQL statements through application UI fields).
|
||||||
injection attacks (i.e., hackers attempting to enter SQL
|
- ::The data access layer will allow read-only connections, which will be used for most requests, as well as write connections for requests that update the database.
|
||||||
statements through application UI fields).
|
- ::The HTML generation layer will be responsible for preventing cross-site-scripting (XSS) attacks.
|
||||||
- ::The data access layer will allow read-only connections, which
|
- ::The application will prevent Cross-Site Request Forgery (CSRF) attacks. It will do this by performing updates to the database only after a POST, and checking that the referring page was served by the system for every POST. Browsers that do not report HTTP-Referrer will not be supported.
|
||||||
will be used for most requests, as well as write connections for
|
|
||||||
requests that update the database.
|
|
||||||
- ::The HTML generation layer will be responsible for preventing
|
|
||||||
cross-site-scripting (XSS) attacks.
|
|
||||||
- ::The application will prevent CSRF attacks. It will do this by
|
|
||||||
performing updates to the database only after a POST, and
|
|
||||||
checking that the referring page was served by the system for
|
|
||||||
every POST. Browsers that do not report HTTP-Referrer will not
|
|
||||||
be supported.
|
|
||||||
|
|
||||||
### Security Checklist
|
### Security Checklist
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user