Add disclaimer for proper error message handling
As the Flask tutorial explicitly returns messages that might reveal useful information to potential attackers, a section was added to raise awareness that in a real world application the reader might want to use more generic error messages as advised by the OWASP project (a link to the documentation of OWASP is provided).
This commit is contained in:
parent
2a54cfa5ce
commit
c40974bf11
1 changed files with 7 additions and 0 deletions
|
|
@ -213,6 +213,13 @@ There are a few differences from the ``register`` view:
|
|||
session. The data is stored in a *cookie* that is sent to the
|
||||
browser, and the browser then sends it back with subsequent requests.
|
||||
Flask securely *signs* the data so that it can't be tampered with.
|
||||
|
||||
In this tutorial - for debugging purposes - the error messages are explicit
|
||||
about the origin of the corresponding failure: a user already exists, the password
|
||||
is incorrect or the username does not exist. In a real world application, it is discouraged
|
||||
to do so, as this information might be helpful to potential attackers. To learn more about
|
||||
secure handling of error messages, see the
|
||||
[OWASP recommendations](https://owasp.org/www-project-proactive-controls/v3/en/c10-errors-exceptions).
|
||||
|
||||
Now that the user's ``id`` is stored in the :data:`session`, it will be
|
||||
available on subsequent requests. At the beginning of each request, if
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue