YetAnotherToDoList/server/README.md

# Server

## SSL/TLS

You can generate a self-signed certificate for testing like this:

```bass
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout keyFile.key -out certFile.crt
```

Or obtain a signed certificate from [let's encrypt](https://letsencrypt.org/).

## CSRF

CSRF should not be possible because we check for the `Authorization` http header
(instead of cookies) when accessing protected recourses.

Because of this, CRIME/BREACH http attacks should also be not possible.

## XSS

We rely on Vue.js's ability to escape user-input in templates.
add doc for auth-flow, server security & conf file 2023-11-17 15:29:44 +01:00			`# Server`

			`## SSL/TLS`

			`You can generate a self-signed certificate for testing like this:`

			```bass
			`openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout keyFile.key -out certFile.crt`
			```

			`Or obtain a signed certificate from [let's encrypt](https://letsencrypt.org/).`

			`## CSRF`

			CSRF should not be possible because we check for the `Authorization` http header
			`(instead of cookies) when accessing protected recourses.`

			`Because of this, CRIME/BREACH http attacks should also be not possible.`

			`## XSS`

			`We rely on Vue.js's ability to escape user-input in templates.`