I saw a lot of open-source projects used by millions of people, but few of them are websites where users can access protected resources and authenticate themselves.
I think the reason is authentication and data integrity. I think website owners scared about website security, that's why they don't make the website open source.
I am specifically involved in MERN stack development, and I want to make an open-source website for developers.
On this website, all developer's data will be publicly visible to the world excluding private data and contact details.
This website will have an admin, who can enter all data into the database using the web interface(frontend). I want this operation to be secured.
Overall, I want to make a website where everyone can see data, but the editing operation will be carried by an authentication person.
So, I want to use JWT to authorize the admin and store the JWT token in the browser cookie(same site and server-side cookie).
How can I make a secured open source website.
Sorry for poor English and bad writing skills.
Top comments (4)
Generally speaking, you shouldn't be afraid of disclosing the source code of your website to others developer. While you may disclose vulnerabilities, others developer may find them and help them fixing it. I think that for a 'small' website, going open source is the way, the exploit that hackers may find will be by pentesting / fuzzing your application, not by going trough the source code, don't worry about that.
What you want to do is use state-of-the-art security practices, such as stateless JWT token if your application is un-coupled (frontend, API). Just make sure to pick a strong & secure JWT implementation and not a random one that may contains exploit. Cryptography is really a big field and you should pick implementation made by experts.
Other than that, read some books / blog post about security, or ask questions, people are generally nice, and you'll learn a lot.
TL;DR: don't be afraid of making your website open source, pick the best / secure cryptography library out there and ask questions when you're stuck. Security through obscurity is certainly not the way to go.
And share your website with us when you're done :)
Thanks, for your precious time.
I agree this out by going through the source code, don't worry about that.
I'll share my website once it's done.
Why not make a second application for the admin interface that is not accessible from the public Internet? You could set it up on a machine you must have a VPN connection with in order to access it and gain a greater degree of security.
Also, when publishing lots of details, I suggest you read the EU General Data Protection Regulation. Not exciting stuff to read, but it will explain all of your responsibilities as the owner of all that data and things you will have to consider - users requesting data inaccuracies to be fixed, disclosing the chain of custody for all data, gathering consent, etc.
Also, your English and writing skills are very good, no need to apologize! In fact, I will give you a virtual high five for your writing!
Thanks, for making me confident about my writing and English.
I'll go through EU General Data Protection Regulation