Other Security Measures
Standard webapp security measures:
- Reasonable Content Security Policy header
- No third party assets (e.g. fonts, images, stylesheets, or javascript).
- Secure-only cookie with a single random session id & protection against
timing attacks on session database query. - Contents of a user’s session are encrypted in the database and
only readable by the web application. - Protection against session injection attacks.
- CSRF token required for every request that might change data.
- Does not leak referrer url
Raft security measures:
- JWT token required required for requests that don’t use cookies.
- Absolutely no caching to the client device disk (“no-store”).
- Immediate logout when the last tab closes (WIP)
- All URLs that grant access are encrypted with a “day key” that is purged
when the date passes. - Exception is thrown if authorization for a request is not defined.