roam/daily/2020-07-15.org

34 lines
1.6 KiB
Org Mode
Raw Normal View History

2021-09-01 20:57:39 +00:00
:PROPERTIES:
:ID: a1117ce1-b7ab-47ae-a06c-13b5bd9ced11
:END:
#+title: 2020-07-15
* Compromised Account Credentials
[2020-07-15 Wed 08:47]
This morning's plan for updating the [[id:d17e934b-b340-4246-88f0-9b36527100c0][Login Throttling]] code:
- [X] Tighten IP throttling to 3 requests in 12 hours
- [X]Revert last night's changes and move them to a separate branch for rework
- [X] Log additional information when a login attempt is throttled (username, IP, Sift ID)
- [X] Extend session timeout to reduce natural re-authentication to 7 days
- [X] Add dynamic throttling based on Sift ID
[2020-07-15 Wed 13:28]
- Implement CSRF on the login form by moving the form to the sites codebase
([[https://jira.aweber.io/browse/CCPANEL-10596][CCPANEL-10596]])
#+begin_quote
Gavin M Roy 28 minutes ago
Sure, my main reference for them would be to point out how Tornado does it as a built-in behavior:
https://www.tornadoweb.org/en/stable/guide/security.html#cross-site-request-forgery-protection
https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1489
https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1371
https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1527
#+end_quote
Pages are moved into the CP with CSRF tokens being injected into the session and
the form. The controller is updated in a separate MR to require the token and
validate it against the value in the session. We're updating the F5 to route the
login and landing pages to the staging environment to test that they load
correctly. We'll do the same in production tomorrow, and then release the login
controller changes once that's done.