diff --git a/docs/tutorial/views.rst b/docs/tutorial/views.rst index f490eb84..e8cdfd40 100644 --- a/docs/tutorial/views.rst +++ b/docs/tutorial/views.rst @@ -213,12 +213,12 @@ There are a few differences from the ``register`` view: session. The data is stored in a *cookie* that is sent to the browser, and the browser then sends it back with subsequent requests. Flask securely *signs* the data so that it can't be tampered with. - -In this tutorial - for debugging purposes - the error messages are explicit -about the origin of the corresponding failure: a user already exists, the password + +In this tutorial - for debugging purposes - the error messages are explicit +about the origin of the corresponding failure: a user already exists, the password is incorrect or the username does not exist. In a real world application, it is discouraged to do so, as this information might be helpful to potential attackers. To learn more about -secure handling of error messages, see the +secure handling of error messages, see the [OWASP recommendations](https://owasp.org/www-project-proactive-controls/v3/en/c10-errors-exceptions). Now that the user's ``id`` is stored in the :data:`session`, it will be