Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restinio Security #109

Open
KaungZawHtet opened this issue Jun 28, 2020 · 3 comments
Open

Restinio Security #109

KaungZawHtet opened this issue Jun 28, 2020 · 3 comments

Comments

@KaungZawHtet
Copy link

How is security preparation for both of maintainers and restinio users ?
I hope some security advice with restinio specific code in your documentation.
I found this link : https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html and I hope you can use it for security advising doc in terms of that list.

In php world, here is some notable security advice of yii2 framework maintainers with yii2 specific codes : https://www.yiiframework.com/doc/guide/2.0/en/security-overview

Thank you for your restinio.
@eao197
Copy link
Member

eao197 commented Jun 30, 2020

Thanks for the interesting link.

I think there are several levels where security can and should be provided:

  • the first and the lowest level is the correct and reasonable behavior in the case of wrong/damaged or specially formed input. There we are relying on the quality of http_parser that is battle-tested in various conditions (I hope);
  • the second level is the behavior of the RESTinio library in some corner cases. For example, RESTinio controls various timeouts and automatically drops connections without any activity (or very slow ones);
  • the third level is the behavior of an application built on the top of RESTinio. Like usage of JWT or exposure of some sensitive information via URL.

Your reference almost completely related to the third level.

But at the current moment of RESTinio's evolution, our main task is to provide an appropriate quality for the first two levels. It's because we don't have plans to make RESTinio too high-level framework (like Oat++, for example) where most of the operations will be hidden from a user. With RESTinio a user has to describe routes and route parameters by his/herself. A user makes the decision about authentication schemes and related things. And so on.

So he/she can use any reasonable security recommendations like the one mentioned by you.

RESTinio is intended to make things simple, but not to hide all the details from a user. We want to add some features that can simplify a task for a user (like optional tools for limitation of request rate from an IP). But those tools will be just helpers. And a user will have to turn them on by his/herself.

@mouse07410
Copy link

Is it feasible/possible to use HTTPS (aka TLS) with RESTinio? If so, how?

@eao197
Copy link
Member

eao197 commented Oct 15, 2020

@mouse07410

Docs: https://stiffstream.com/en/docs/restinio/0.6/tls.html
Example 1: https://github.com/Stiffstream/restinio/blob/v.0.6.10/dev/sample/hello_world_https/main.cpp
Example 2: https://github.com/Stiffstream/restinio/blob/v.0.6.10/dev/sample/tls_inspector/main.cpp

@seghcder seghcder mentioned this issue Dec 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mouse07410 @eao197 @KaungZawHtet