| |
|---|
User security | Each user is required to register an account. Hashing the passwords using sha256 to keep the users password secure. Interactions with the server are tracked with “/sendInvoice” requiring the user to be logged in. All “/sendInvoice” calls are logged, with details as to: Who sent the request Who was emailed.
|
|---|
Secrets security | Our service requires a number of secrets to operate, which are kept private and never published into the GitHub repo. These include: We kept them in a number of secure places. When developing locally we kept a file which was added to git ignore. We also kept them on github in its “secrets” section. This is an encrypted part of github that allowed us to use the variables within our testing with github actions.
For access during deployment, they were added to the deployment environment on heroku. The login for our postgres database was also automatically added to the deployment enviorment.
|
Server security | The secret_key to secure the flask server is a randomly generated key that’s only stored on the heroku deployment server, ensuring privacy The server is also deployed on heroku with 2 step verification enabled to keep the database login and server admin tools secure.
|