During the hackathon REST API endpoints did not enforce security. The frontend can set fields that may need to be locked down in production.
For example, the frontend can associate an Opportunity with any Organizer. A security policy is needed to prevent malicious frontends from misusing the REST API. Maybe only a User who is also can Organizer can add/remove themselves from an Opportunity.
Before deploying the website into production the REST API needs an audit to check that malicious clients do not have access to private data and that malicious clients cannot modify sensitive data.
Jack-Lawton
commented
3 years ago
During the hackathon REST API endpoints did not enforce security. The frontend can set fields that may need to be locked down in production.
For example, the frontend can associate an Opportunity with any Organizer. A security policy is needed to prevent malicious frontends from misusing the REST API. Maybe only a User who is also can Organizer can add/remove themselves from an Opportunity.
Before deploying the website into production the REST API needs an audit to check that malicious clients do not have access to private data and that malicious clients cannot modify sensitive data.