The API currently has very little protection against common web attacks. There are some proposed 'fixes' to increase overall API safety:
repeated login prevention
API rate limiting (through nginx or in flask directly)
write unit tests for the API, website (compilation/typescript type coverage report) and voerbak
bind tokens to ip adress
check if api requests are coming from the intended website domain
I don't want to hinder regular users with these measures in any way, so I'm not going to add any agressive measures like requiring captcha's to access the website.
The API currently has very little protection against common web attacks. There are some proposed 'fixes' to increase overall API safety:
I don't want to hinder regular users with these measures in any way, so I'm not going to add any agressive measures like requiring captcha's to access the website.