Table of Contents

About

At Combostrap, we are taking security very seriously and take the following measures to prevent any attack.

Prevention

Below are the steps that we have taken to prevent the following attacks.

Cross-site request attack

Every form uses a token to prevent a cross-site request attack (CSRF))

Injection Attack

To prevent an injection attack:

  • every HTML output is escaped to prevent HTML/Javascript injection.
  • every SQL input is passed through parameters to prevent SQL injection
  • every SVG got the script node deleted.
  • No HTML attribute is allowed with the exception of the class. Why? They allow code injections such as ClickJacking

Content Security Policy

We apply the Content Security Policy framework.

By default, we disallow:

  • the framing of the website to prevent clickjacking.
  • the use of http and https at the same time

No leak

We set the Referrer-Policy to not send private URL to external domain.

Dokuwiki

Dokuwiki follows also this rules (see devel%3Asecurity). We are making use of the CSRF token functionality.

Reporting Security Issues

For any security concern or issue, you can contact us at security [at] combostrap [dot] com