About
At Combostrap, we are taking security very seriously and take the following measures to prevent any attack.
Prevention
Below are the steps that we have taken to prevent the following attacks.
Cross-site request attack
Every form uses a token to prevent a cross-site request attack (CSRF))
Injection Attack
To prevent an injection attack:
- every HTML output is escaped to prevent HTML/Javascript injection.
- every SQL input is passed through parameters to prevent SQL injection
- every SVG got the script node deleted.
- No HTML attribute is allowed with the exception of the class. Why? They allow code injections such as ClickJacking
Content Security Policy
We apply the Content Security Policy framework.
By default, we disallow:
- the framing of the website to prevent clickjacking.
- the use of http and https at the same time
No leak
We set the Referrer-Policy to not send private URL to external domain.
Dokuwiki
Dokuwiki follows also this rules (see devel%3Asecurity). We are making use of the CSRF token functionality.
Reporting Security Issues
For any security concern or issue, you can contact us at security [at] combostrap [dot] com