From c40974bf11b5e3133a978e24adef686ca0f296aa Mon Sep 17 00:00:00 2001 From: John Braun Date: Mon, 31 Oct 2022 21:12:17 +0100 Subject: [PATCH] Add disclaimer for proper error message handling As the Flask tutorial explicitly returns messages that might reveal useful information to potential attackers, a section was added to raise awareness that in a real world application the reader might want to use more generic error messages as advised by the OWASP project (a link to the documentation of OWASP is provided). --- docs/tutorial/views.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/tutorial/views.rst b/docs/tutorial/views.rst index 7092dbc2..f490eb84 100644 --- a/docs/tutorial/views.rst +++ b/docs/tutorial/views.rst @@ -213,6 +213,13 @@ There are a few differences from the ``register`` view: session. The data is stored in a *cookie* that is sent to the browser, and the browser then sends it back with subsequent requests. Flask securely *signs* the data so that it can't be tampered with. + +In this tutorial - for debugging purposes - the error messages are explicit +about the origin of the corresponding failure: a user already exists, the password +is incorrect or the username does not exist. In a real world application, it is discouraged +to do so, as this information might be helpful to potential attackers. To learn more about +secure handling of error messages, see the +[OWASP recommendations](https://owasp.org/www-project-proactive-controls/v3/en/c10-errors-exceptions). Now that the user's ``id`` is stored in the :data:`session`, it will be available on subsequent requests. At the beginning of each request, if