Add security best practices link to docs for whoami, token transfer, …

…svelte and general overview docs
hokosugi · Nov 9, 2022 · 84850a9 · 84850a9
1 parent f082591
commit 84850a9
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -37,4 +37,7 @@ To get started:
     ```
     dfx build
     ```
-    
+
+## Security Considerations and Security Best Practices
+
+If you base your application on one of these examples, we recommend you familiarize yourself with and adhere to the [Security Best Practices](https://internetcomputer.org/docs/current/references/security/) for developing on the Internet Computer. The examples provided here may not implement all the best practices.
diff --git a/motoko/README.md b/motoko/README.md
@@ -39,3 +39,7 @@ These examples use a "conventional" front end component (via `React.Component`).
 - [`life`](https://github.com/dfinity/examples/tree/master/motoko/life) -- demonstrates upgrades among three versions and stable state migration.
 - [`phone-book`](https://github.com/dfinity/examples/tree/master/motoko/phone-book) -- CRUD-like demo service.
 - [`superheroes`](https://github.com/dfinity/examples/tree/master/motoko/superheroes) -- CRUD-like demo service.
+
+## Security Considerations and Security Best Practices
+
+If you base your application on one of these examples, we recommend you familiarize yourself with and adhere to the [Security Best Practices](https://internetcomputer.org/docs/current/references/security/) for developing on the Internet Computer. The examples provided here may not implement all the best practices.
diff --git a/motoko/whoami/README.md b/motoko/whoami/README.md
@@ -5,6 +5,14 @@
 
 This example demonstrates how a canister can identify its caller and itself.
 
+## Security Considerations and Security Best Practices
+
+If you base your application on this example, we recommend you familiarize yourself with and adhere to the [Security Best Practices](https://internetcomputer.org/docs/current/references/security/) for developing on the Internet Computer. This example may not implement all the best practices.
+
+For example, the following aspects are particularly relevant for this app:
+* [Make sure any action that only a specific user should be able to do requires authentication](https://internetcomputer.org/docs/current/references/security/rust-canister-development-security-best-practices#make-sure-any-action-that-only-a-specific-user-should-be-able-to-do-requires-authentication), since this example illustrates how to access the caller system API. 
+* [Disallow the anonymous principal in authenticated calls](https://internetcomputer.org/docs/current/references/security/rust-canister-development-security-best-practices#disallow-the-anonymous-principal-in-authenticated-calls), since the caller system API may return the anonymous principal.
+
 ## Prerequisites
 
 Verify the following before running this demo:

diff --git a/rust/tokens_transfer/README.md b/rust/tokens_transfer/README.md
@@ -3,6 +3,14 @@
 Tokens Transfer shows how a canister can interact with the ledger and make transfers from its account
 to other accounts.
 
+## Security Considerations and Security Best Practices
+
+If you base your application on this example, we recommend you familiarize yourself with and adhere to the [Security Best Practices](https://internetcomputer.org/docs/current/references/security/) for developing on the Internet Computer. This example may not implement all the best practices.
+
+For example, the following aspects are particularly relevant for this app, since it is a finance application that makes inter-canister calls to the ledger:
+* [Be aware that state may change during inter-canister calls](https://internetcomputer.org/docs/current/references/security/rust-canister-development-security-best-practices#be-aware-that-state-may-change-during-inter-canister-calls)
+* [Only make inter-canister calls to trustworthy canisters](https://internetcomputer.org/docs/current/references/security/rust-canister-development-security-best-practices#only-make-inter-canister-calls-to-trustworthy-canisters)
+* [Don’t panic after await and don’t lock shared resources across await boundaries](https://internetcomputer.org/docs/current/references/security/rust-canister-development-security-best-practices#dont-panic-after-await-and-dont-lock-shared-resources-across-await-boundaries)
 
 ## Interface
 

diff --git a/svelte-motoko-starter/README.md b/svelte-motoko-starter/README.md
@@ -39,6 +39,15 @@ Motoko is a new language designed for the Internet Computer. Easy to learn for J
 
 This starter template also includes integration with Internet Identity. Internet Identity is a new authentication framework similar to Github or Google login, but providing complete anonimity to the users. To learn more about Internet Identity check out the [documentation](https://smartcontracts.org/docs/ic-identity-guide/what-is-ic-identity.html).
 
+## Security Considerations and Security Best Practices
+
+If you base your application on this example, we recommend you familiarize yourself with and adhere to the [Security Best Practices](https://internetcomputer.org/docs/current/references/security/) for developing on the Internet Computer. This example may not implement all the best practices.
+
+For example, the following aspects are particularly relevant for creating frontends:
+* [Use a well-audited authentication service and client side IC libraries](https://internetcomputer.org/docs/current/references/security/web-app-development-security-best-practices#use-a-well-audited-authentication-service-and-client-side-ic-libraries)
+* [Define security headers including a Content Security Policy (CSP)](https://internetcomputer.org/docs/current/references/security/web-app-development-security-best-practices#define-security-headers-including-a-content-security-policy-csp)
+* [Don’t load JavaScript (and other assets) from untrusted domains](https://internetcomputer.org/docs/current/references/security/web-app-development-security-best-practices#dont-load-javascript-and-other-assets-from-untrusted-domains)
+
 ## Install dependencies
 
 Make sure you have [node.js](https://nodejs.org/) installed.

diff --git a/svelte-starter/README.md b/svelte-starter/README.md
@@ -22,6 +22,15 @@ Dapps on the Internet Computer live in canisters, which are special smart contra
 
 This repository uses Svelte for the frontend, and can upload it to an `asset` type canister that can host your frontend on the Internet Computer.
 
+## Security Considerations and Security Best Practices
+
+If you base your application on this example, we recommend you familiarize yourself with and adhere to the [Security Best Practices](https://internetcomputer.org/docs/current/references/security/) for developing on the Internet Computer. This example may not implement all the best practices.
+
+For example, the following aspects are particularly relevant for creating frontends:
+* [Use a well-audited authentication service and client side IC libraries](https://internetcomputer.org/docs/current/references/security/web-app-development-security-best-practices#use-a-well-audited-authentication-service-and-client-side-ic-libraries)
+* [Define security headers including a Content Security Policy (CSP)](https://internetcomputer.org/docs/current/references/security/web-app-development-security-best-practices#define-security-headers-including-a-content-security-policy-csp)
+* [Don’t load JavaScript (and other assets) from untrusted domains](https://internetcomputer.org/docs/current/references/security/web-app-development-security-best-practices#dont-load-javascript-and-other-assets-from-untrusted-domains)
+
 ## Install dependencies
 
 Make sure you have [node.js](https://nodejs.org/) installed.