---json
{
    "canonical": ":security",
    "description": "At combostrap, we take the security of your website seriously. This articles shows you what we do about it.",
    "page_id": "luuua1fabsxm8rkj0qvth",
    "template": "holy-medium"
}
---

====== What are the security measures that we take? ======

===== About =====
At [[:about_us|Combostrap]], we are taking security very seriously and take the following measures to prevent any attack.

===== Prevention =====
Below are the steps that we have taken to prevent the following attacks.
==== Cross-site request attack ====

Every form uses a token to prevent a [[kb>csrf|cross-site request attack (CSRF)]])

==== Injection Attack ====
To prevent an [[kb>injection/attack|injection attack]]:
  * every HTML output is escaped to prevent HTML/Javascript injection.
  * every SQL input is passed through parameters to prevent [[kb>sql/injection|SQL injection]]
  * every [[docs:content:svg|SVG]] got the ''script'' node deleted.
  * No HTML attribute is allowed with the exception of the [[:docs:styling:class|class]]. Why? They allow code injections such as [[kb>ClickJacking]]

==== Content Security Policy ====

We apply the [[https://w3c.github.io/webappsec-csp/|Content Security Policy framework]].

By default, we disallow:
    * the framing of the website to prevent clickjacking.
    * the use of ''http'' and ''https'' at the same time

==== No leak ====

We set the ''Referrer-Policy'' to not send private URL to external domain.



===== Dokuwiki =====
''Dokuwiki'' follows also this rules (see [[doku>devel:security]]). We are making use of the CSRF token functionality.

===== Reporting Security Issues =====
For any security concern or issue, you can contact us at [[security@combostrap.com]]