Clear linter warnings

This commit is contained in:
William Sandner 2021-08-01 13:06:38 +02:00
parent f13a30258f
commit 29283389c8

View File

@ -1,7 +1,10 @@
<!-- markdownlint-disable-next-line MD041 -->
##### Project ##### Project
::PROJECT-NAME ::PROJECT-NAME
##### Internal Release Number ##### Internal Release Number
::X.Y.Z ::X.Y.Z
##### Related Documents ##### Related Documents
@ -14,8 +17,7 @@
### Overview ### Overview
*TODO: Answer the questions below to help you design needed security *TODO: Answer the questions below to help you design needed security features. Some example text is provided. Add or delete text as needed.*
features. Some example text is provided. Add or delete text as needed.*
#### What are the most important facts that a developer should know about the security of this system? #### What are the most important facts that a developer should know about the security of this system?
@ -30,7 +32,6 @@ features. Some example text is provided. Add or delete text as needed.*
### Security Mechanisms ### Security Mechanisms
#### What physical security mechanisms will be used? #### What physical security mechanisms will be used?
- ::Servers will be kept in a locked room with door code known only - ::Servers will be kept in a locked room with door code known only
@ -94,19 +95,15 @@ features. Some example text is provided. Add or delete text as needed.*
are: are:
- ::Guest: Visitor to the site is not logged in, no permissions - ::Guest: Visitor to the site is not logged in, no permissions
to change anything to change anything
- ::Guest: Visitor to the site is not logged in, can post - ::Guest: Visitor to the site is not logged in, can post messages anonymously
messages anonymously - ::RegisteredUser: User is logged in, has permissions for X, Y, and Z
- ::RegisteredUser: User is logged in, has permissions for X, Y, - ::Administrator: Permission to change anything, even on behalf of other regular users
and Z
- ::Administrator: Permission to change anything, even on behalf
of other regular users
- ::Each action (information display or change) requires that the - ::Each action (information display or change) requires that the
user has a role with proper permissions user has a role with proper permissions
- ::Compromised or abused accounts can be quickly disabled - ::Compromised or abused accounts can be quickly disabled by administrators.
by administrators. > - ::Administrators can review user permissions
- ::Administrators can review user > permissions - ::Administrators can audit all accesses and changes
- ::Administrators can audit all a > ccesses and changes - ::All communications with the user are encrypted (e.g., SSL)
- ::All communications with the us > er are encrypted (e.g., SSL)
- ::Some communications with the user (e.g., the username - ::Some communications with the user (e.g., the username
and password) are encrypted (e.g., SSL) and password) are encrypted (e.g., SSL)
- ::Sessions are tied to a particular client IP-address so that - ::Sessions are tied to a particular client IP-address so that
@ -117,19 +114,10 @@ features. Some example text is provided. Add or delete text as needed.*
where it can still be reviewed by administrators. where it can still be reviewed by administrators.
- ::Sensitive data, such as credit card numbers, are processed but - ::Sensitive data, such as credit card numbers, are processed but
not retained in any database or file not retained in any database or file
- ::The data access layer will be responsible for preventing SQL - ::The data access layer will be responsible for preventing SQL injection attacks (i.e., hackers attempting to enter SQL statements through application UI fields).
injection attacks (i.e., hackers attempting to enter SQL - ::The data access layer will allow read-only connections, which will be used for most requests, as well as write connections for requests that update the database.
statements through application UI fields). - ::The HTML generation layer will be responsible for preventing cross-site-scripting (XSS) attacks.
- ::The data access layer will allow read-only connections, which - ::The application will prevent Cross-Site Request Forgery (CSRF) attacks. It will do this by performing updates to the database only after a POST, and checking that the referring page was served by the system for every POST. Browsers that do not report HTTP-Referrer will not be supported.
will be used for most requests, as well as write connections for
requests that update the database.
- ::The HTML generation layer will be responsible for preventing
cross-site-scripting (XSS) attacks.
- ::The application will prevent CSRF attacks. It will do this by
performing updates to the database only after a POST, and
checking that the referring page was served by the system for
every POST. Browsers that do not report HTTP-Referrer will not
be supported.
### Security Checklist ### Security Checklist