I would like to upload a csv file with sensitive data to a website that allows csv uploads. The website is secured with SSL however, I am uncertain whether the csv file upload would be transmitted securely?
When you upload a file to a website over SSL, the file is encrypted while it is transmitted from your device to the website's server. This means that anyone who might intercept the transmission would not be able to read the contents of the file.
If you are concerned about the security of your data, you might consider using a file sharing service that allows you to password-protect your files or encrypt them before uploading. This will add an extra layer of security to your data and help to ensure that it is protected from unauthorized access.
Dropbox
Google Drive
OneDrive
Related
I'm developing a small private social network where the users can share media files and text with each other. To provide some sort of security the data is stored encrypted on the server / in the database. Now the question is where and how to store the private key(s) of the encrypted data. I use mongoDB to store the user information and a simple Apache 2 server to store the actual encrypted media files. The client is connected to a socket.io server running on https to read the database content. So here is a list of the steps I thought of to make it as safe as possible, please let me know if I miss something or going down the wrong path.
AES 128 bit encryption for the media files and text
HTTPS and SSL encryption for the Server-Client connection
Storing the secret key for the database content in a c / c++ class (if possible?) in the client
code
Creating an own secret key for every media file / upload and storing it encrypted in the database
Restrict the access to the server to everything but the encrypted media files
Currently, I am working on a web app. The backend would frequently communicate with the Docker Engine API and I am using certificate signing (client/server key) to authenticate. However, where should I store the certificate PEM file? Should I store it in the database, or should I store it as a file then store the file path in the database?
Storing into a database would mean that I have to access the database every time there is a command being sent. Am I correct?
I feel storing the PEM files on disk would be less resource-intensive. As you have stated, if it is stored in the database, you will need to make a request any time you wish to access it.
If you do store the PEM file on disk, ensure it is not within a web-accessible directory e.g. nobody should be able to goto https://yourapp/your.pem file
We are storing files uploaded by users of our app to Amazon S3.
In order to keep these files private & secure, we are:
having the client generate a UUID for the filename (so that the URL of the file is difficult to guess). See: What is the probability of guessing (matching) a Guid?
going to protect the data by using client-side encryption.
Do these two measures provide sufficient security, or should we also use Amazon Cognito to ensure that the user getting the object is one of the users who has access to it?
Using obscure filenames is not a good security method.
If you wish to allow users to upload/download data to/from Amazon S3 in a secure manner, you should use Pre-Signed URLs.
The process is:
Users authenticate to your web/mobile application
Users interact with your application and indicate they wish to upload/download a file
Your application generates a pre-signed URL that includes an authorization to access Amazon S3, with restrictions such as bucket, path and file size
Users upload/download the file using the pre-signed URL
This way, your application controls the security and there is no potential for accidental workaround, overwriting, access, etc.
See: Uploading Objects Using Pre-Signed URLs
In our project we have separate login page and several SPAs which user can access only after proper authentication.
All static content is placed in public CDN. But html files of SPAs are stored in DB and delivered to user by index service.
We don't want to store html files in DB because it is inconvenient for us.
What is the best way to store html files in secure area?
Not really sure whats the purpose behind securely storing html files, instead you should serve the pages and validate the REST calls based on User's Authorization settings.
If a chrome-extension requests the permission "Read and modify all your data on all websites you visit", can it then read data from the local storage of one of these visited sites?
I'm asking this because I know of some websites which store authentication tokens in the local storage. If the extension can access the token, it would be frightfully easy to harvest access tokens...
The answer is Yes. Content script injected by an extension has full access to localStorage for the site.