API to be closed down

[tangentfairy-zz]

Need to lock down API except for coderdojo.com and changex.org (changeX need to be able to access this particular API endpoint: http://zentest.coderdojo.com:8000/api/1.0/dojos)

[ghost]

• CORS
• OWASP ZAP Audit
  • Hide server error details in production
  • X-Frame-Options
  • X-Content-Type
  • X-XSS-Protection
  • Add autocomplete="off" to password fields
    • This can increase security in older browsers and is ignored by newer browsers
  • Make sure private IPs aren't being leaked
    • They weren't
  • Other errors reported by the audit were for third party sites like Google Maps
  • Rerun audit on zentest after updates are deployed.
• x-download-options
• Strict-Transport-Security
  • enable in production and not development
• CSP
• Hapi security plugins

[tpambor]

Is it possible to get public api access to the endpoints which do not require authentication (endpoints handled with "actHandler", not "actHandlerNeedsUser" etc.)? Currently this is not possible due to CORS.

We are especially interested in the https://zen.coderdojo.com/api/2.0/events/search endpoint to automatically keep the list of the upcoming Dojos updated. This would make things a lot easier as we manage our Dojos registration solely through the Zen platform.

I don't see a security flaw coming up if access is only provided to the APIs requiring no authentication but I would like to hear your comments on that.

We have an implementation in progress at coderdojoka/coderdojoka.github.io#23. This may be also an starting point for other Dojos who like to implement similiar functionality.

[Wardormeur]

True, removing any CORS limitation on non-authenticated API calls could make sense. I need some insight from @DanielBrierton to validate the idea.
In the meantime, send an email to webteam{at}coderdojo.com, we're testing stuff :)