-
Notifications
You must be signed in to change notification settings - Fork 3
Security Issues
Our web app deals with sensitive user information. This includes passwords, emails, date of birth, first names, and last names. Safeguarding this data is crucial to ensure the privacy and security of our users. We also lower our risk by not making first and last names necessary to have an account.
We use hashing techniques to securely store passwords. This ensures that even in the event of a data breach, the actual passwords remain difficult to decipher.
For the protection of personal user information, including names, date of birth, and email addresses, we implement two approaches:
-
Data in Transit Encryption: Utilizing HTTPS, we encrypt data during transmission. This safeguards names, date of birth, and email addresses from interception.
-
Database Security: While date of birth and email addresses may not be encrypted in the database, they are protected by authorization. Access is restricted, ensuring visibility only to the end user. Names, depending on user preferences, may be visible to other users if willingly shared.
Our web app built with ASP.NET, Entity Framework Core, and utilizing a PostgreSQL database hosted on Azure, is designed with security in mind. While certain attack vectors are mitigated due to our choices in our tech stack, it's important to remain vigilant.
To prevent XSS attacks, we strictly control input formats in our API. Only accepting data in predefined formats ensures that user input is thoroughly validated, minimizing the risk of malicious script injection.
Automated attempts to guess user passwords poses a threat. To counter this, we will enforce strong password policies.
CSRF attacks could trick users into performing unintended actions. However, with our use of stateless JWT tokens, this is not a concern to us. https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0#token-based-authentication-1