
Originally Posted by
Affenbrotbaum
So far I can only come up with the obvious:
- only transferring critical user data in a hashed form
- Implement somewhat of a Ddos prevention that locks out certain IPs
- Clean up incoming strings right after reading them from a client and vice versa
"Security" is not only about intrusion prevention and hiding sensitive information. It's also about keeping your server responsive and functional. For instance preventing clients from keeping the connection open forever if they are not using the connection. Otherwise you'll run out of resources and it doesn't have to be caused by any malicious action (although of course it could be). You also have to be prepared to receive data and amount of data you don't expect. A simple example of a wrong approach would be something that's very often what people do in their servers:
void Server::onReadyRead() {
if(!socket->canReadLine()) return;
processRequest(data);
}
void Server::onReadyRead() {
if(!socket->canReadLine()) return;
QByteArray data = socket->readLine();
processRequest(data);
}
To copy to clipboard, switch view to plain text mode
What if you never get a newline? It can happen when the client doesn't send you a newline or if the request is larger than the socket buffer size and the newline is stuck on the sender's side.
There are many other similar things to consider.
Bookmarks