I want some security professionals to review our authentication code and perform pen testing to see if we possibly have any vulnerabilities.
Here's our docs on auth implementation](https://blitzjs.com/docs/session-management#how-it-works).
And here's the three main files pertaining to auth:
There is any production website live using blitz that we can target?
Is it required that you target the live version or could I setup another deployment of quirrel.dev one that's not critical?
Probably you can use https://blitz-jobs.com. Ok @sandulat?
Is it required that you target the live version or could I setup another deployment of quirrel.dev one that's not critical?
It would be more realistic doing the pentest on a live version.
Probably you can use https://blitz-jobs.com. Ok @sandulat?
That or the suggestion from @Skn0tt would work.
However, I will try to do everything locally and only if necessary fallback to blitz-jobs.com (if @sandulat gives permission, of course)
One thing we could consider doing is set up an opinionated default set of security headers for new blitz apps based on OWASP Secure Headers using Next.js Custom Headers
Here are the header scan results for quirrel.dev as an example
@flybayer @jose-donato Sorry for the delay! It's ok to test on https://blitz-jobs.com/.
@MrLeebo great idea on setting up secure headers by default somehow
@flybayer I propose we put a page on blitzjs.com for reporting vulnerabilities because even if we perform our own pen testing, there is always the possibility of a non-contributor discovering an issue that we don't know about.