Security Point of Contact?

WebstackBuilder · June 22, 2021, 12:19am

I’ve been doing some work on revising the contributing docs, and I noticed the security overview pages aren’t set up for the project. Is there a point of contact for confidential security vulnerability reports, like Linux’s security@kernel.org?

thedavid · June 22, 2021, 2:01am

Mind meld! I’ve been working on this today and updating/adding the contact in a couple places. The address is security@redwoodjs.com

FYI I’m working on the Security.md and security.txt for redwoodjs.com

Anywhere else we should add this that comes to mind?

WebstackBuilder · June 22, 2021, 10:23am

Great! I’ll add a quicklink to it in the contributing.md file.

VinayaSathyanarayana · June 26, 2021, 2:39am

See:

github.com

goldbergyoni/nodebestpractices/blob/master/sections/security/commonsecuritybestpractices.md

[✔]: ../../assets/images/checkbox-small-blue.png

# Common Node.js security best practices

The common security guidelines section contains best practices that are standardized in many frameworks and conventions, running an application with SSL/TLS, for example, should be a common guideline and convention followed in every setup to achieve great security benefits.

## ![✔] Use SSL/TLS to encrypt the client-server connection

**TL;DR:** In the times of [free SSL/TLS certificates](https://letsencrypt.org/) and easy configuration of those, you do no longer have to weigh advantages and disadvantages of using a secure server because the advantages such as security, support of modern technology and trust clearly outweigh the disadvantages like minimal overhead compared to pure HTTP.

**Otherwise:** Attackers could perform man-in-the-middle attacks, spy on your users' behaviour and perform even more malicious actions when the connection is unencrypted

🔗 [**Read More: Running a secure Node.js server**](/sections/security/secureserver.md)

<br/><br/>

## ![✔] Comparing secret values and hashes securely

**TL;DR:** When comparing secret values or hashes like HMAC digests, you should use the [`crypto.timingSafeEqual(a, b)`](https://nodejs.org/dist/latest-v9.x/docs/api/crypto.html#crypto_crypto_timingsafeequal_a_b) function Node provides out of the box since Node.js v6.6.0. This method compares two given objects and keeps comparing even if data does not match. The default equality comparison methods would simply return after a character mismatch, allowing timing attacks based on the operation length.

This file has been truncated. show original