Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
Coming from a more traditional web frameworks like Django and a little bit Rails, I am a bit confused about what is the best to register new user in your couchdb backed web app. The registration process should include sending an e-mail with an activation link.
Can this be handled in couchdb completely? Or do I just write a little bit of code in my web app layer as I did before?
Any link or short explanation is highly appreciated.
CouchDB has a basic authentication system that allows you to create users, manager their roles and permissions.
Although, you'll probably need to add a certain logic in your application layer to support some of the basic feature of an authentication system.
For example, you would have to add some code to support password recovery.
Also, it supports Cookie authentication but you can't revoke cookies from a user(If that's an issue for you, don't use CouchDB's auth system)
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I have a client that is very jealous about her data and she asked me to replace the default bot storage of my bot with a custom storage that saves all the data in an on-premises database.
If I replace the storage, will the bot framework save permanently any conversation data in any other place? (let's say, somewhere in Azure) That's something my client would like to avoid for security concerns.
Thanks!
Saving and loading of all session data is handled in the ChatConnector's getData() and saveData() unless you provided your own via settings.storage. In non-emulator real-life scenarios it will go to https://state.botframework.com/v3/botstate/...
The bot framework doesn't store anything else, I believe. I explored this exact question very recently. Take a look:
http://www.pveller.com/smarter-conversations-part-3-breadcrumbs/
http://www.pveller.com/smarter-conversations-part-4-transcript/
I had to read the source (many times actually) to trace the inner workings of the Bot Framework and I didn't see anything that would make me think that there's another persistence somewhere.
You are probably better off asking on the official support channel to confirm and assure your client but I think you're good.
As to how reasonable it is... companies do far more crazier things for all kinds of reasons :) By the way, will you also use Microsoft's LUIS for NLU? Does your client have similar concerns about all incoming messages going through that service? It's a deep rabbit hole. I think of engagement (vs. back office automation) bots as very much cloud-native. Not easy to shield yourself from it and yet benefit from all the new tech built for it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have an application built in CF 9. As this was developed way long time back, I am trying to implement some security features now. I only have the knowledge of using cfqueryparam to protect the sql injection which i have already implemented in the application code.
But what else do I use to make my application more secure?
I am using ColdFusion 9 and Oracle database.
Can anyone offer any suggestions?
It's a very broad question. But i will give you links that will get you started:
First you need check Administering Security
Then check securing application
Then you need to learn how to lockdown server
As you mentioned, you need to use cfqueryparam in cfquery
Also you need to use best practices while developing application.
I guess this will make your application very secure.
here is the developer security guide to make your CF applications secured. you can download this ColdFusion Developer Security Guide.
This contains all the basics of security enhancement.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Beginning PowerShell and looking at the automatic tasks that can be run as Admin.
Are there security risks in automating tasks? How can I resolve these issues? Is there a way to script more security before the task is run?
I have been looking for hours trying to find an answer and nothing has come up for database risks, only for PHP and website issues. But what about the active directory or communicating with the servers? Or just simple things like looking for free disk space? Do those pose a security threat to the network?
The topic of securing an OS is huge and really off-topic on SO. I recommend you to get a basic course material like, say, CompTIA Security+ or the like. Learn the basic principles and concepts first, then focus on technology specific issues.
That being said, the most obvious security hole with scripted operations is invalid permissions. Consider that the admin script is in a directory that allows write access to non-admin users. Oops, immediate backdoor. Can you figure out why?
Even read access is dangerous. Maybe the admin script has stored credentials in plain-text or serialized on disk? Oops, another a security hole.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I'm creating a browser based image cloud service and every user will have his own picture folder.
My question is how to make sure, other users or hackers can not access foreign folders.
What is to consider?
Is it e.g. enough to check session-variables?
Thanks in advance!
I'm not 100% sure what you mean by just checking the session-variables.
I would create a setup like this:
\root
\userImages
\user1
\img1.png
\img2.png
\user2
\img1.png
\img2.png
\public
\index.php
I'm assuming you would use PHP or ASP.NET or something similar that uses some type of server like nginx or apahce. You can set the server root to the public folder. This means only your code would have access to the user images.
You can use PHP or whatever language to look at the session information and see if the user is authenticated. If you can, I would recommend encrypting the cookie data with Mycrypt. Once you have checked the authentication, you can get the file with a script and send back header information. Here's a really in depth article that I think would help you if you actually want a how-to. Protecting Images with PHP
If you are using PHP, Laravel handles sessions and protecing images really nicely.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm launching a startup web site, what i would like to know is how to start with that, i mean is better to use invitations first of all?
Then how to send invitations and to who?
How can i plan invitations? Which are best practices?
Does anyone is passed from this step with his own site?
Any experience on here?
thanks
Whether you create a beta version of the site first is completely up to you.
It really depends what type of website you're planning to make. Beta's are obviously a good way to gain feedback on your website and its functionality before releasing to everyone. Thus, allowing you to make improvements/fix bugs before everyone uses the site.
In terms of actually getting users for the beta, it's very much a case of marketing your website and its existence well (through social media, advertising etc.), and then providing some kind of 'sign up for the beta' page. You could then close registration for the beta once you have enough users, and devise some method of gaining feedback from users.
I haven't personally created a beta myself, but if I was to do it, I would do the above.
Hope that's of some help.