On 28.04.2019 21:42, aprekates wrote:
Experimenting with wsgi and python webapp devI think it is a good practice in general to actually test if something bothers you. You can setup your virtualenv environment by the book in test VM, and create deliberately insecure python webapp to test how virtualenv will behave if you try to execute shell commands from a web-browser, try to steal passwords, execute SQL commands, read, write, execute arbitrary files, etc. Check out what username is used when you will do all that, what limitations and what options available for it. If your system will host a few websites (Virtual Hosts), test if you can access the information on any of them from another website or not. This way you can see how good the isolation is and its limitations and how to fix it and improve it. WebDev IMO is hell with all those pip-s and npm-s out there pushing packages and modules and dependencies into your environment and you have to audit their code by yourself or blindly trust they are safe. You should read the documentation, research and test to get the answers for the every question you have. Understand how everything works internally. There are no step-by-step guides for security topics, because everything could be setup in myriad ways, constantly evolving and becoming so complex that there is almost never a straight answer for anything. -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀ |