33 lines
1.6 KiB
Org Mode
33 lines
1.6 KiB
Org Mode
:PROPERTIES:
|
|
:ID: a1117ce1-b7ab-47ae-a06c-13b5bd9ced11
|
|
:END:
|
|
#+title: 2020-07-15
|
|
|
|
* Compromised Account Credentials
|
|
[2020-07-15 Wed 08:47]
|
|
This morning's plan for updating the [[id:d17e934b-b340-4246-88f0-9b36527100c0][Login Throttling]] code:
|
|
- [X] Tighten IP throttling to 3 requests in 12 hours
|
|
- [X]Revert last night's changes and move them to a separate branch for rework
|
|
- [X] Log additional information when a login attempt is throttled (username, IP, Sift ID)
|
|
- [X] Extend session timeout to reduce natural re-authentication to 7 days
|
|
- [X] Add dynamic throttling based on Sift ID
|
|
|
|
[2020-07-15 Wed 13:28]
|
|
- Implement CSRF on the login form by moving the form to the sites codebase
|
|
([[https://jira.aweber.io/browse/CCPANEL-10596][CCPANEL-10596]])
|
|
|
|
#+begin_quote
|
|
Gavin M Roy 28 minutes ago
|
|
Sure, my main reference for them would be to point out how Tornado does it as a built-in behavior:
|
|
https://www.tornadoweb.org/en/stable/guide/security.html#cross-site-request-forgery-protection
|
|
https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1489
|
|
https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1371
|
|
https://github.com/tornadoweb/tornado/blob/master/tornado/web.py#L1527
|
|
#+end_quote
|
|
|
|
Pages are moved into the CP with CSRF tokens being injected into the session and
|
|
the form. The controller is updated in a separate MR to require the token and
|
|
validate it against the value in the session. We're updating the F5 to route the
|
|
login and landing pages to the staging environment to test that they load
|
|
correctly. We'll do the same in production tomorrow, and then release the login
|
|
controller changes once that's done.
|