Add disclaimer for proper error message handling

As the Flask tutorial explicitly returns messages that might reveal useful information to potential attackers, a section was added to raise awareness that in a real world application the reader might want to use more generic error messages as advised by the OWASP project (a link to the documentation of OWASP is provided).
This commit is contained in:
John Braun 2022-10-31 21:12:17 +01:00 committed by GitHub
parent 2a54cfa5ce
commit c40974bf11
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -213,6 +213,13 @@ There are a few differences from the ``register`` view:
session. The data is stored in a *cookie* that is sent to the
browser, and the browser then sends it back with subsequent requests.
Flask securely *signs* the data so that it can't be tampered with.
In this tutorial - for debugging purposes - the error messages are explicit
about the origin of the corresponding failure: a user already exists, the password
is incorrect or the username does not exist. In a real world application, it is discouraged
to do so, as this information might be helpful to potential attackers. To learn more about
secure handling of error messages, see the
[OWASP recommendations](https://owasp.org/www-project-proactive-controls/v3/en/c10-errors-exceptions).
Now that the user's ``id`` is stored in the :data:`session`, it will be
available on subsequent requests. At the beginning of each request, if