Security Practices - SeoulSKY/safe-zone-system GitHub Wiki

Security Practices

CSRF Protection:

• Cross-Site Request Forgery

• CSRF attacks use a user’s credentials to perform actions on the user’s behalf, this is an issue for users using a web browser to access the app

    * ex. Clicking a link while logged onto a website and having the website at the link make a delete request to the website you are signed into to delete your account
  

• using the Flask-WTF extension we can use CSRF protection. All that would be required on the server side is:

    from flask_wtf.csrf import CSRFProtect
  
    csrf = CSRFProtect(app)
  
    csrf.init_app(app)
  

• CSRF requires the app’s secret key to securely sign the token

    app.config.update(DEBUG=True, SECRET_KEY=”secret_ingredient”)
  

• when making a request from the front end, make sure to add the X-XSRFToken header. This example is in plain JavaScript but it should get the point across

  <script type=”text/javascript>

  var csrf_token = “{{ csrf_token() }}”;

  $.ajaxSetup({

    beforeSend: function(xhr, settings) {
  
    	if(!/^GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && this.crossDomain) {
  
    		xhr.setRequestHeader(“X-CSRFToken”, csrf_token);
  
    		}
  
    }
  

  });

  </script>

• we can create an api endpoint to fetch the token if needed

• making sure to use the right type of requests (GET, POST, etc) also help with security

• docs for CSRF Protection: https://flask-wtf.readthedocs.io/en/0.15.x/csrf/

• Video to give you a more clear idea: https://www.youtube.com/watch?v=eWEgUcHPle0

React-Native

• if we are using deep linking (similar to web URLs), sensitive information should never be sent through them. They are not secure.

• A type of link that sends a user to an app or a page on an installed app so that they do not have to navigate to the page themselves

Database

• make sure to use parameterized queries whenever possible

• avoid using the Python filter() function, it accepts raw SQL which leaves us more vulnerable to attacks

• A raw/native SQL statement is manually building an SQL statement yourself without using an ORM. An example is

  SELECT FROM table WHERE id=1

• we can create tests to check if any API endpoints are vulnerable by attempting SQL injection on a test database

Sources:

• https://www.securecoding.com/blog/flask-security-best-practices/
• https://reactnative.dev/docs/security
• https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#defense-option-1-prepared-statements-with-parameterized-queries
• https://realpython.com/prevent-python-sql-injection/
• https://www.adjust.com/glossary/deep-linking/