Closed Wouter1 closed 1 year ago
Not sure if it helps, but I got a message from the security team indicating that a Nessus scan showed issues with the Remi application. My aplication itself is a very simple page with a few buttons and combo boxes only.. Hard to imagine at this level what a Nessus securtiy error even means.
I may be wrong, but my belief is that this project aims to provide a way to make apps to control or monitor things in a controlled environment. Kind of a development or debugging interface. Not a real website for the world to visit. I think of an intranet configuration interface or a robot management interface.
I haven't followed the changes on the codebase for a while, however, my understanding is that the interface is created by injecting JavaScript (which makes the system really flexible to do anything you want). Which may need a fair amount of sanity checking to avoid the possibility of misuse.
If you plan to do web development, this is not really for web development, I see it more of a Qt/Tinker library that can run on the browser and has a quite simple API.
On Mon, Dec 13, 2021, 23:56 Wouter1 @.***> wrote:
Not sure if it helps, but I got a message from the security team indicating that a Nessus scan showed issues with the Remi application. My aplication itself is a very simple page with a few buttons and combo boxes only.. Hard to imagine at this level what a Nessus securtiy error even means.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dddomodossola/remi/issues/476#issuecomment-992449966, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANEK5AFN2DUVEEGO755GE3UQXUPTANCNFSM5J6B4LIQ .
@awesomebytes
For me the idea is that you can make an application that runs both standalone (=secure, special users, and for testing) and can be deployed (for general use/demos/SAS etc).
I don't want to do "web development". I'm writing a simple app, not a web system. That's why this tool seemed so useful. It takes away all that "web development" stuff (servers, browsers, server/client side stuff, etc etc) that I don't care about for this project.
You are both right my friends. Remi is not intended to make websites. It is made for local or intranet interfaces. So, it is safe to use it in a safe network. To use it remotely consider using a VPN, a proxy and so on to obfuscate and protect the server.
@dddomodossola thanks.
Can you clarify a bit further? I'm primarily cncerned with security on the server side. I have this simple app with a few buttons and text input fields. The text is processed on the server, in python, to extract some features. If we would use a VPN or proxy as you suggest, would it really be secure or just that it looks superficially to be more safe? So, would the inherently unsafe calls still be possible? If the VPN or proxy alleviates this, would we need specific settings or filters somewhere? What configuration are you thinking of?
@Wouter1 using a VPN you makes the application accessible only by trusted clients, so the security is implicit. Nonetheless, you can limit the application to be accessible only on local machine, by configuring a server address as 127.0.0.1 .
@dddomodossola It seems there is a misunderstanding. By "putting it on the web" I do mean public. And certainly not localhost.
So there is no "trusted client" at all.
@Wouter1 ok I understand, but remi is not intended to be used this way. I'm afraid, you need a website in this case.
I read on the main page the quote below. This is a deal breaker, because writing a web application is, in the end, to put on the web...
Is it possible to make this more secure? Or, what the tips like "not expose its access" or "when loading data from external sources" actually implies? How would I even know what Remi accesses internally regarding external sources?
May I suggest giving examples on how to actually do this?