Docs/security in gatsby

[luizcieslak]

Hi! I had some question while doing this writing and I'd like a feedback:

1. Should I write about GDPR rules in this doc?
2. In Third-party Scripts section I thought about recommending Ackee, which is a open-source self-hosted analytics alternative. Should I?
3. Is CSRF section relevant even when the solutions are backend only?

Also, I did not read Alex Moon's blog post entirely yet to not become biased. If there is some topics that you see important to have here please let me know.

Description

A documentation page for Security in Gatsby :)

Documentation

It is a documentation itself.

Related Issues

closes #13305

[moonmeister]

Looks like a really good start. Thanks for getting this together.

Should I write about GDPR rules in this doc?

I don't think GDPR makes sense for this doc, but could be another doc if the team things it's a good idea.

In Third-party Scripts section I thought about recommending Ackee, which is a open-source self-hosted analytics alternative. Should I?

Again, doesn't seem relevant to security. maybe a privacy/GDPR doc.

Is CSRF section relevant even when the solutions are backend only?

It's still possible for ffolks to add client side things to their gatsby sites, so yes, it's good!

Finally, I think there should probably be a section on key security. for things like APIs. If you need a place to start my blog post on security focused on that.

[moonmeister]

This isn't entirely true. there are several other packages that do this. html-to-react and html-react-parser are the two I've used. I think these both sanitize on the client side, but not on SSR (but don't quote me on that...). They offer a lot of additional features too but those are not inherently related to security. I'd include this information some how so folks no it's an option...I'll leave it to you exactly how this should be done.

[luizcieslak]

You are right. There are alternatives to dangerouslySetInnerHTML but they don't sanitize HTML. see remarkablemark/html-react-parser#94 and aknuds1/html-to-react#79.

I reformulate the phrase to mention the html-to-react package, what do you think?

[moonmeister]

I'd at least mention them. I'm fairly sure html-react-parser doesn't do script tags on the client side (I ran into this on a project). one could also use the custom parsing functionality in these to sanitize html

[luizcieslak]

I mentioned html-react-parser! Please check again and see that if it is good.

[moonmeister]

Maybe needs an example. not totally understanding how/why this works.

[luizcieslak]

Yes, totally. I add a more clear example.

[laurieontech]

I believe this is still outstanding?

[moonmeister]

This definitely needs some explanation. How do I control access, to the third-party scripts, or to GTM?

[luizcieslak]

Absolutely. I expanded with 2 docs links to Google

[moonmeister]

I'd add the yarn equivalent. and may be worth noting the yarn v1 and v2 version if they differ.

[luizcieslak]

yarn v2 does not support audit yet. I changed the writing to talk about yarn as well.

[moonmeister]

Expound on "other plugins"...I understand it's unreasonable to list every incompatible plugin, but please define why or what makes a plugin incompatible.

[luizcieslak]

Sure thing! I wrote the reason after that, which is more detailed in the issue.

[moonmeister]

This needs to be re written it's pretty confusing. https://en.wikipedia.org/wiki/Cross-site_request_forgery has some good explanations you can quote from. If you do choose to fix what you have I think it would still be helpful to link out to a more complete resource like Wikipedia for those interested in diving deeper than the quick overviews we're providing here (this applies to XSS as well).

[luizcieslak]

In these past few days, I'm exploring more in the topic in CS253 - Web Security classes from Stanford. I'll rewrite this section, making it simple, doing some quotes and linking these resources.

[moonmeister]

You "copy the site" example above could be fixed by simply scoping your cookies to a certain domain. Make sure you info is accurate (I'm no expert here either) and complete (aka. solve every problem you present, and do so correctly). Again, I think since security is such a deep and nuanced topic it'll be to your benefit to keep these short and simple then link out to more complete resources.

[moonmeister]

on further thought...Based on how this info is presented Tokens seem to be "THE" solution. I'm guessing they are just one, of many solutions. Present it as such, "On way CSRF attacks can be mitigated..., .... To read more on this topic check out....", then link out to more in depth resources.

[moonmeister]

Sry I just realized you do have the Same-site cookies example...Fix you headings please The "How Can it be prevented" should probably be a ### header and then each example be #### header. Optionally, Instead of presenting several problems then several solutions, Give one problem, and its solution, then another and its solution...etc.

[luizcieslak]

Ok, sorry about that! I think that is good we are learning things while doing this. I'm gonna rewrite this section.

[moonmeister]

no need to be sorry. you're doing great work, just trying to give helpful feedback. thanks and keep it up. I've already learned a thing or two.

[luizcieslak]

You are!

[moonmeister]

This covers build variables well but not client side keys. Not sure if the note is intended to cover it cause the language is a bit confusing.

[luizcieslak]

Yes, this note does not cover this part. What do you think it should be here regarding client-side keys? encryption? known methods, e.g. JWT?

[moonmeister]

I think this doc should be a starting point. so defining the issue and maybe an example of how to solve then (again) links out to more thorough resources (like Gatsby's docs on keys and env variables).

[laurieontech]

Thanks for the work here! Really great start. I left some suggestions surrounding formatting and wording.

[laurieontech]

@luizcieslak I know you're incorporating some different feedback here so please let me know when you're ready for another review! Thanks again for the amazing work.

[laurieontech]

This is coming along really well! Some small edits and a couple bigger questions. But I'd say we should be able to get this in shortly.

[laurieontech]

I believe this is still outstanding?

[laurieontech]

Thank you so much for your work on this! I think we're good to merge this. 🥳

[luizcieslak]

I thank you @laurieontech and @moonmeister for the patience and review! I learned a lot 🤗