Blitz: Requesting Security Review/Pen Testing
What do you want and why?
I want some security professionals to review our authentication code and perform pen testing to see if we possibly have any vulnerabilities.
Here's our docs on auth implementation](https://blitzjs.com/docs/session-management#how-it-works).
And here's the three main files pertaining to auth:
flybayer
All 9 comments
There is any production website live using blitz that we can target?
jose-donato
on 19 Oct 2020
Is it required that you target the live version or could I setup another deployment of quirrel.dev one that's not critical?
Skn0tt
on 19 Oct 2020
Probably you can use https://blitz-jobs.com. Ok @sandulat?
flybayer
on 19 Oct 2020
Is it required that you target the live version or could I setup another deployment of quirrel.dev one that's not critical?
It would be more realistic doing the pentest on a live version.
Probably you can use https://blitz-jobs.com. Ok @sandulat?
That or the suggestion from @Skn0tt would work.
However, I will try to do everything locally and only if necessary fallback to blitz-jobs.com (if @sandulat gives permission, of course)
jose-donato
on 20 Oct 2020
One thing we could consider doing is set up an opinionated default set of security headers for new blitz apps based on OWASP Secure Headers using Next.js Custom Headers
MrLeebo
on 22 Oct 2020
Here are the header scan results for quirrel.dev as an example
MrLeebo
on 22 Oct 2020
@flybayer @jose-donato Sorry for the delay! It's ok to test on https://blitz-jobs.com/.
sandulat
on 22 Oct 2020
@MrLeebo great idea on setting up secure headers by default somehow
flybayer
on 25 Oct 2020
@flybayer I propose we put a page on blitzjs.com for reporting vulnerabilities because even if we perform our own pen testing, there is always the possibility of a non-contributor discovering an issue that we don't know about.
MrLeebo
on 21 Nov 2020
Related issues
aaronfulkerson
路
3Comments
LoriKarikari
路
4Comments
yhoiseth
路
3Comments
eorenstein1
路
3Comments
simonedelmann
路
3Comments