amtoine
commented
1 year ago great idea!
will probably not have time to help, but looking forward to it :+1:
Open ctmbl opened 1 year ago
amtoine
commented
1 year ago great idea!
will probably not have time to help, but looking forward to it :+1:
atxr
commented
1 year ago That's an amazing idea. I didn't implemented any logs at the moment for the backend, and I don't think node does it automatically. Do you want to add it to the v0.0.2 milestone or maybe another one? It doesn't seems to be related to the changes of v0.0.2
atxr
commented
1 year ago Some useful links:
ctmbl
commented
1 year ago Great! I can look at these subject, I have a (little) bit of logging experience since my internship of the past summer so even if it's a new language and framework I can look into it :wink:
atxr
commented
1 year ago Thank you! Don't hesitate if you have questions about the framework! I assigned this feature to the v0.0.2 milestone!
ctmbl
commented
1 year ago I just discovered that nginx already logs every connection attempt, maybe we should build or configure on top of it a tool to monitor it?
I don't think there is traffic that isn't logged by nginx given that any attempt from a browser to reach the backend will eventually pass by nginx? but @atxr I'd like your advices
see sudo docker logs iscscfr-nginx-1 | tac | less on the iscsc remote server
ctmbl
commented
1 year ago https://www.digitalocean.com/community/tutorials/nginx-access-logs-error-logs should help regarding this issue
ctmbl
commented
1 year ago will wait for #86 and #95
Context: The #2 PR from @atxr has introduced User Authentication to our website: a mandatory feature to develop other services around the website. However this PR also brought many security concerns.. and we, as students, aren't fully capable of designing an entirely safe website, even a small one, despite all our interest towards cyber-security. At least that's what I think.
Problem: Even with our best effort we can't design a safe website.
Solution: I then want to propose a complementary solution, that I think is also widely used in the industry and is quite an interesting challenge. Because we can't guarantee that the website is safe we could monitor the traffic and log it. That would allow to detect as early as possible breaking-in attempts. I don't know what kind of security and monitoring the current website and framework offers (defense against brute-forcing, automatic log to a file etc) but I'm interested in looking deeper into the subject!