[Chicago] Handling secret stuff: update
Leon Shernoff
leon at mushroomthejournal.com
Mon May 16 18:02:26 EDT 2016
Hi, everyone
and thanks for the suggestions!
Thanks, Philip and Joshua. I have been reading OWASP and they are a big
part of what scared *me* wrt this situation. :-)
Nick, I don't know how Django works. But @ the "code trail", Wordpress
runs on php, which means that when you have a form on a page that's
supposed to do stuff, the form says
<form action="complete_pathname/dosomething.php" method="post">
and the dosomething.php file is unencrypted text. If the that file
contains or just is able to access the secret API key, I have a security
problem. While a would-be hacker may not (shouldn't!) have permissions
to get to that php file, they at least know where to look, or perhaps
they can devise some method of triggering the form's actions and having
its results directed to them. JavaScript has a similar problem -- any
action you want a page to take is written down in unencrypted pages that
are interpreted live. It sounds from what you're saying that Django has
layers between the pages that it serves and code that it runs that make
this not a problem.
In any case, this is the motivation behind my provisional idea of
(something like) Japhy's solution -- I'm not running the host server,
but at least perhaps I can trigger the more sensitive part of the
operation by scheduled actions which are independent of anything that
happens via a browser.
Thanks again. Your ideas help me think. :-)
--
Best regards,
Leon
"Creative work defines itself; therefore, confront the work."
-- John Cage
Leon Shernoff
1511 E 54th St, Bsmt
Chicago, IL 60615
(312) 320-2190
More information about the Chicago
mailing list