Skip to main content
Code Review

Return to Answer

Commonmark migration
Source Link
Community Bot
Community Bot
  • 1

Just addressing one of your questions.

"SECURITY: Is my website secure in any way, shape, or form?"

#No it is not!!!

No it is not!!!

##Reasons

Reasons

  1. Insecure transport. You should never send private data via an unsecured protocol. HTTP will let anyone see all the data communicated between you (server) and the client. YOU MUST USE HTTPS or an alternative high level encryption when communicating any form of private data.

    Node.js supports HTTPS

  2. Insecure Data Store. The file creds.json is open for anyone that can gain access to it. You should NEVER store private data unencrypted no mater how secure you think your server may be.

    Node.js provides an encryption module you can use to secure server side data.

  3. Insecure source code. You have user names in the source code, this should never be done. There should be only one source of private data (see point 2 above)

  4. Insecure logging. You should never log data that contains private client data, or log information in such a way such that a reference/association can be made between a client and logged data without access to encryption keys.

##Private data

Private data

You must consider all data related to a client as extremely sensitive. Its not only the password but handles (usernames), IP addresses, log on/off time/dates and more.

My advice is DON'T attempt to create your own authentication and log in system. Use existing services and/or systems.

Just addressing one of your questions.

"SECURITY: Is my website secure in any way, shape, or form?"

#No it is not!!!

##Reasons

  1. Insecure transport. You should never send private data via an unsecured protocol. HTTP will let anyone see all the data communicated between you (server) and the client. YOU MUST USE HTTPS or an alternative high level encryption when communicating any form of private data.

    Node.js supports HTTPS

  2. Insecure Data Store. The file creds.json is open for anyone that can gain access to it. You should NEVER store private data unencrypted no mater how secure you think your server may be.

    Node.js provides an encryption module you can use to secure server side data.

  3. Insecure source code. You have user names in the source code, this should never be done. There should be only one source of private data (see point 2 above)

  4. Insecure logging. You should never log data that contains private client data, or log information in such a way such that a reference/association can be made between a client and logged data without access to encryption keys.

##Private data

You must consider all data related to a client as extremely sensitive. Its not only the password but handles (usernames), IP addresses, log on/off time/dates and more.

My advice is DON'T attempt to create your own authentication and log in system. Use existing services and/or systems.

Just addressing one of your questions.

"SECURITY: Is my website secure in any way, shape, or form?"

No it is not!!!

Reasons

  1. Insecure transport. You should never send private data via an unsecured protocol. HTTP will let anyone see all the data communicated between you (server) and the client. YOU MUST USE HTTPS or an alternative high level encryption when communicating any form of private data.

    Node.js supports HTTPS

  2. Insecure Data Store. The file creds.json is open for anyone that can gain access to it. You should NEVER store private data unencrypted no mater how secure you think your server may be.

    Node.js provides an encryption module you can use to secure server side data.

  3. Insecure source code. You have user names in the source code, this should never be done. There should be only one source of private data (see point 2 above)

  4. Insecure logging. You should never log data that contains private client data, or log information in such a way such that a reference/association can be made between a client and logged data without access to encryption keys.

Private data

You must consider all data related to a client as extremely sensitive. Its not only the password but handles (usernames), IP addresses, log on/off time/dates and more.

My advice is DON'T attempt to create your own authentication and log in system. Use existing services and/or systems.

Bounty Awarded with 50 reputation awarded by Ben A
added 1 character in body
Source Link
Mast
Mast
  • 13.8k
  • 12
  • 57
  • 127

Just addressing one of your questions.

"SECURITY: Is my website secure in any way, shape, or form?"

#No it is not!!!

##Reasons

  1. Insecure transport. You should never send private data via an unsecured protocol. HTTP will let anyone see all the data communicated between you (server) and the client. YOU MUST USE HTTPS or an alternative high level encryption when communicating any form of private data.

    Node.js supports HTTPS

  2. Insecure Data Store. The file creds.json is open for anyone that can gain access to it. You should NEVER store private data unencrypted no mater how secure you think your server may be.

    Node.js provides an encryption module you can use to secure server side data.

  3. Insecure source code. You have user names in the source code, this should never be done. There should be only one source of private data (see point 2 above)

  4. Insecure logging. You should never log data that contains private client data, or log information in such a way such that a reference/association can be made between a client and logged data without access to encryption keys.

##Private data

You must consider all data related to a client as extremely sensitive. Its not only the password but handles (usernames), IP addresses, log on/off time/dates and more.

My advice is DONTDON'T attempt to create your own authentication and log in system. Use existing services and/or systems.

Just addressing one of your questions.

"SECURITY: Is my website secure in any way, shape, or form?"

#No it is not!!!

##Reasons

  1. Insecure transport. You should never send private data via an unsecured protocol. HTTP will let anyone see all the data communicated between you (server) and the client. YOU MUST USE HTTPS or an alternative high level encryption when communicating any form of private data.

    Node.js supports HTTPS

  2. Insecure Data Store. The file creds.json is open for anyone that can gain access to it. You should NEVER store private data unencrypted no mater how secure you think your server may be.

    Node.js provides an encryption module you can use to secure server side data.

  3. Insecure source code. You have user names in the source code, this should never be done. There should be only one source of private data (see point 2 above)

  4. Insecure logging. You should never log data that contains private client data, or log information in such a way such that a reference/association can be made between a client and logged data without access to encryption keys.

##Private data

You must consider all data related to a client as extremely sensitive. Its not only the password but handles (usernames), IP addresses, log on/off time/dates and more.

My advice is DONT attempt to create your own authentication and log in system. Use existing services and/or systems.

Just addressing one of your questions.

"SECURITY: Is my website secure in any way, shape, or form?"

#No it is not!!!

##Reasons

  1. Insecure transport. You should never send private data via an unsecured protocol. HTTP will let anyone see all the data communicated between you (server) and the client. YOU MUST USE HTTPS or an alternative high level encryption when communicating any form of private data.

    Node.js supports HTTPS

  2. Insecure Data Store. The file creds.json is open for anyone that can gain access to it. You should NEVER store private data unencrypted no mater how secure you think your server may be.

    Node.js provides an encryption module you can use to secure server side data.

  3. Insecure source code. You have user names in the source code, this should never be done. There should be only one source of private data (see point 2 above)

  4. Insecure logging. You should never log data that contains private client data, or log information in such a way such that a reference/association can be made between a client and logged data without access to encryption keys.

##Private data

You must consider all data related to a client as extremely sensitive. Its not only the password but handles (usernames), IP addresses, log on/off time/dates and more.

My advice is DON'T attempt to create your own authentication and log in system. Use existing services and/or systems.

Source Link
Blindman67
Blindman67
  • 22.9k
  • 2
  • 17
  • 40

Just addressing one of your questions.

"SECURITY: Is my website secure in any way, shape, or form?"

#No it is not!!!

##Reasons

  1. Insecure transport. You should never send private data via an unsecured protocol. HTTP will let anyone see all the data communicated between you (server) and the client. YOU MUST USE HTTPS or an alternative high level encryption when communicating any form of private data.

    Node.js supports HTTPS

  2. Insecure Data Store. The file creds.json is open for anyone that can gain access to it. You should NEVER store private data unencrypted no mater how secure you think your server may be.

    Node.js provides an encryption module you can use to secure server side data.

  3. Insecure source code. You have user names in the source code, this should never be done. There should be only one source of private data (see point 2 above)

  4. Insecure logging. You should never log data that contains private client data, or log information in such a way such that a reference/association can be made between a client and logged data without access to encryption keys.

##Private data

You must consider all data related to a client as extremely sensitive. Its not only the password but handles (usernames), IP addresses, log on/off time/dates and more.

My advice is DONT attempt to create your own authentication and log in system. Use existing services and/or systems.