Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • All user input (e.g. via dialogs) has to be escaped before inserted into templates.

  • All data transferred from the client to the server (e.g. cache data) has to be escaped before inserted into templates.

  • All REST interfaces or servlets contain a check whether the current user has the appropriate permission before executing any actions.

  • GET requests shall be avoided in case data is updated - risk of forged requests

  • All permission checks are done on the server not the client.

  • When a request collects data from multiple content entity objects we check that the current user has a view permission on them before including them in the result.

  • We only include the necessary information the responses.

  • We minimize the number of 3rd party libraries in our apps.

  • In case we use 3rd libraries we check the published anomalies list before using them and regularly after release.

  • Cloud only: we do not store customer data within our cloud apps.

...