Questions and remarks for the security audit

Questions and Remarks for the Security Audit

Primary Goals

These are the main goals of the security audit:

  1. Verify that the server can never see content (content text, images, comment text etc.) of documents or folder names. In order words. This assumes that the client is not compromised. This includes that the server can never just inject an entry into a response resulting in a client to encrypt or sign content for the server to get access to data.

  2. Verify that the backend service is not vulnerable to common attacks like SQL injection or the Websocket connection can be compromised.

Repositories

The app repository is https://github.com/serenity-kit/serenity (opens in a new tab)

Structure:

Related repositories we developed and use in Serenity:

HTTPS connections

  • Are there any HTTP security feautes we should activate? (HSTS is on)

Websocket Connections

  • Is passing an authentication token as a query parameter secure enough or what are proposed alternatives? I read this is the only way to pass authentication tokens in a websocket connection.
  • Should the Origin header be verified to basically simuate CORS checking? Does it provide any additional security in this case?
  • Should the Sec-WebSocket-Protocol header be verified to basically simulate CORS checking? Does it provide any additional security in this case?
  • Is the webSocketServer setup fine or should we restrict maxPayload for example?
  • Is webSocketServer.handleUpgrade handled correctly?
DeviceIntroduction