General guidelines for security¶

NOTE: This is still WIP

Use chroot: Where ever possible, use chroot after initialization. After chroot, one must chdir to / and drop privileges to an unprivileged user.
Sanitize inputs: Inputs must always be treated as untrusted; and must always be santized. Do not fire a database query, or perform any resource consuming operations unless all the inputs are valid. Handle any potential sql/no-sql and command injections.
API response: Any API should nevre reveal any unnessary information if the user is not authenticated/authorized to. Even the error messages should be carefully constructed not to leak any unnessary information.
Rate limiting: All APIs especially the ones requiring authentication/authorization must be rate limited.
Disable debugging information in production: Enabling debugging information in production will help an attacker to figure out the status of an attack. It should be disabled.

Datasetu Software Engineering